Data Security Incident - Jan.23.2020
Click to see the notice
| Notice Date | January 23rd 2020 |
| Incident Type | Personal Identifiable Information Disclosure |
| Affected Users Notified | Yes, via email. |
| Impact | Low |
Dear EV Reach User,We value your business and respect the privacy of your information, which is why, as a precautionary measure, we are writing to let you know about a data security incident that involves your personal information.  | On January 12th, we were notified that a file containing a list of about 500 user IDs and encrypted passwords was being distributed through the public internet. The data accessed included the user login ID, the user email and the user’s password in encrypted format. The login data exposed DOES NOT PROVIDE ACCESS TO ANY OF THE EV Reach SERVICES. |
Upon investigation, we resolved that these IDs/Passwords were those registered by users of our community blog, which is hosted by WordPress.These IDs/Passwords are registered when product features are requested or comments on articles are posted. These IDs/Passwords do not provide access to any of the EV Reach Services. Please rest assured, that the EV Reach IT Support Solution, being an On-Premise solution, is very secure. Access credentials and security information never leave our client’s private infrastructure. Our company does not store privileged account information that could be consumed by malicious actors to access your company’s systems.Even though these passwords are encrypted, and the login IDs cannot be used to access remote systems via EV Reach, it’s possible for people to exploit this information. For this reason, we advise you to change your password in all other platforms that may have been configured with the same password.Additionally, the email addresses may be used in phishing campaigns. Phishing attacks are the practice of sending fraudulent communications to obtain sensitive information such as credit card details and login credentials, by disguising as a trustworthy organization or reputable person in an email communication. Phishing emails are very common and are easily recognizable to the aware eye. For examples of such emails, visit: https://www.phishing.org/phishing-examples .EV Reach values your privacy and deeply regrets that this incident occurred. EV Reach is conducting a thorough review of all areas where our customer’s information may be exposed, and we are implementing security measures designed to prevent further occurrences of such security breaches.The community login IDs that were breached and published are non-critical to the services that we provide. Consequently, we will be resetting their passwords or deleting them completely. These actions will trigger further email notifications warning you that your password was changed, or account removed. Please do not be alarmed by their notifications at they are expected.Note: The modification or removal of community login data will not affect the proper functioning of the EV Reach Services.If you want further information and assistance, please contact our support department at +1 305 442 4788 between 9 a.m.- 6 p.m. EST, or visit our website |
Security Advisory GOVSA.2019.1028.2 - Symbolic Link Hack
Click to see the notice
| Advisory ID | GOVSA.2019.1028.2 |
| Vulnerability Type | CWE-65 Windows Hard Link (leads to Command Injections / Local Privilege Escalation) |
| Issue Date | 2019-10-28 |
| Updated On | 2019-10-28 (Initial Advisory) |
| Application | EV Reach (Agent) |
| Affected Versions | EV Reach Console v9.20 and earlier EV Reach Client Agent v9.20.02 and earlier |
| Severity | Medium |
| Vulnerability Status | Update Released |
| A vulnerability has been reported which allows a malicious actor to generate arbitrary files in any location within the local system, including within protected areas. This exploit can be used in conjunction with a DLL hijacking exploit and result in privilege escalation. |
| Vulnerability Type | Remotely Exploitable | Impact |
| Command Injection | No | Possible Local Code Execution |
| Local Privilege Escalation | No | Possible Escalation from Standard User to Local Administrative Privileges |
This exploit is exposed by the EV Reach Agent process: GovAgentx64.exe and GovAgent.exe versions
9.20.02 and earlier.These EV Reach Client Agent are distributed on remote machine via the EV Reach Console and EV Reach Server versions
9.20 and
3.20 and earlier respectively.
| Product | Action |
| EV Reach Console v9.20.XX and earlier | Update to v9.50 or later |
| EV Reach Server v3.20.XX and earlier | Update to v3.50 or later |
| EV Reach Client Agent v9.20.02 | Update to v9.20.50 or later |
For further information about this security advisory, or to send us a security alert, please contact security(@)goverlan.com.
Security Advisory GOVSA.2019.1028.1 - Untrusted Search Path
Click to see the notice
| Advisory ID | GOVSA.2019.1028.1 |
| Vulnerability Type | CWE-426 Untrusted Search Path (leads to Command Injections / Local Privilege Escalation) |
| Issue Date | 2019-10-28 |
| Updated On | 2019-10-28 (Initial Advisory) |
| Application | EV Reach (Agent) |
| Affected Versions | EV Reach Client Agent v9.20.02 and earlier EV Reach Console v9.20 and earlier EV Reach Server v3.20 and earlier |
| Severity | High |
| Vulnerability Status | Update Released |
| A vulnerability has been reported which allows a malicious actor to elevate his/her local privilege on a Windows system equipped with the EV Reach Agents. This exploit uses DLL Hijacking which allows a customized DLL to be ran with elevated privileges by the EV Reach Agent GovAgentx64.exe. |
| Vulnerability Type | Remotely Exploitable | Impact |
| Command Injection | No | Possible Local Code Execution |
| Local Privilege Escalation | No | Possible Escalation from Standard User to Local Administrative Privileges |
This exploit is exposed by the EV Reach Agent process: GovAgentx64.exe and GovAgent.exe versions
9.20.02 and earlier.These EV Reach Client Agent are distributed on remote machine via the EV Reach Console and EV Reach Server versions
9.20 and
3.20 and earlier respectively.
| Product | Action |
| EV Reach Console v9.20.XX and earlier | Update to v9.50 or later |
| EV Reach Server v3.20.XX and earlier | Update to v3.50 or later |
| EV Reach Client Agent v9.20.02 | Update to v9.20.50 or later |
For further information about this security advisory, or to send us a security alert, please contact security(@)goverlan.com.EV Reach would like to thank author PovlTekstTV for reporting this issue to us.
Security Advisory GOVSA.2022.0506.1 - Temporary disabling and enabling of the Windows Firewall during a remote EV Reach Agent update
Click to see the notice
| Advisory ID | GOVSA.2022.0506.1 |
| Vulnerability Type | CWE-1038 Insecure Automated Optimizations |
| Issue Date | 2022-05-16 |
| Updated On | 2022-05-06 (Initial Advisory) |
| Application | EV Reach (Agent) |
| Affected Versions | EV Reach Console v10.5.0 and earlier EV Reach Client Agent v10.1.10 and earlier |
| Severity | Medium |
| Vulnerability Status | Update Released |
| CVE Status | Submitted - CVE Record | CVE |
| The Windows Firewall is temporarily turned off upon a EV Reach agent update operation in EV Reach Management Console v10.5.0, EV Reach Server v3.70.0 and earlier versions, which allows remote attackers to bypass firewall blocking rules for a time period up to 30 seconds. |
| Vulnerability Type | Remotely exploitable | Impact |
| Insecure Automated Optimizations | No | A remote system loses Windows Firewall protection for up to 30 seconds. |
This behavior can be detected by the presence of one Windows Event that is not accompanied by a EV Reach Audit Event. If both events are present, the action was performed using the EV Reach consoles feature. If the Firewall Event ID 2003 is the only event present and the Modifying Application is GovAgent64.exe then this vulnerability is present.The Windows Event viewer records
Event ID 2003 when the Windows Firewall has been enabled or disabled.
The EV Reach Console allows an operator to disable the Windows Firewall if the operator has the appropriate Windows permissions to do so. When the Firewall is disabled via an administrative action, the endpoint event viewer will log
Event ID 6549 with the details of the action listed in the Event.
The EV Reach Agents are designed to monitor all configuration changes that are performed on a system by EV Reach Operators. All audits are contained in the Windows Event Viewer of the endpoint system. We recommended using a SEIM product at the endpoint to detect EV Reach related events. See
EV Reach Auditing for more information.This vulnerability is exposed by the EV Reach Agent process: GovAgentx64.exe and GovAgent.exe versions
10.1.10 and earlier.These EV Reach Client Agent are distributed on remote machine via the EV Reach Console and EV Reach Server versions
10.5.0 and
3.70.0 and earlier respectively.
| Product | Action |
| EV Reach Console v10.5.0 and earlier | Update to v10.5.1 or later |
| EV Reach Server v3.70.0 and earlier | Update to v3.70.1 or later |
| EV Reach Client Agent v10.1.10 and earlier | Update to v10.1.11 or later |
For further information about this security advisory, or to send us a security alert, please contact security(@)goverlan.com.
