CVE-2018-6546 2018-04-12T17:24:52+00:00

SUMMARY

The following vulnerability was found in Plays.tv 1.27.5.0

The “plays_service.exe” Windows service allows for the unauthenticated execution of a user provided path at SYSTEM privilege. An HTTP message with the “execute_installer” parameter does not securely authenticate the user before executing the provided path. The vulnerability could allow for privilege escalation on the current system or remote compromise on an internal network by executing a file over SMB. The vulnerable plays.tv software was previously included in AMD’s driver installation packages and is still distributed with its legacy products as part of its Gaming Evolved program.

IMPACT

Access Vector:    REMOTE
Access Complexity:   LOW
Authentication:    NOT REQUIRED TO EXPLOIT
Impact Type:   FILE EXECUTION
Privilege Level:   SYSTEM

AFFECTED PRODUCTS

SOFTWARE FIXES

  • Please update to Plays.tv 1.27.7.0 to remedy the vulnerability.

TIMELINE

REFERENCES