Advisory Details

June 18th, 2024

(0Day) Poly Plantronics Hub Link Following Local Privilege Escalation Vulnerability

ZDI-24-802
ZDI-CAN-18271

CVE ID CVE-2024-6147
CVSS SCORE 7.8, AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
AFFECTED VENDORS Poly
AFFECTED PRODUCTS Plantronics Hub
VULNERABILITY DETAILS

This vulnerability allows local attackers to escalate privileges on affected installations of Poly Plantronics Hub. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

The specific flaw exists within the Spokes Update Service. By creating a symbolic link, an attacker can abuse the service to delete a file. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM.

ADDITIONAL DETAILS

08/10/22 – ZDI reported the vulnerability to the vendor.

12/15/23 – ZDI asked for an update.

06/17/24 – ZDI attempted to contact the vendor once more using the PSIRT contact information on their website, as well as trying to reach them via support channels with no response.

-- Mitigation: Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the application.


DISCLOSURE TIMELINE
  • 2022-08-10 - Vulnerability reported to vendor
  • 2024-06-18 - Coordinated public release of advisory
  • 2024-07-01 - Advisory Updated
CREDIT Michael DePlante (@izobashi) of Trend Micro's Zero Day Initiative
BACK TO ADVISORIES