EV Reach - Security Notices Advisories

Last modified on 2023/07/12 14:03

Data Security Incident - Jan.23.2020

Notice DateJanuary 23rd 2020
Incident TypePersonal Identifiable Information Disclosure
Affected Users NotifiedYes, via email.
ImpactLow
Dear EV Reach User,
We value your business and respect the privacy of your information, which is why, as a precautionary measure, we are writing to let you know about a data security incident that involves your personal information.

Summary

CVE.pngOn January 12th, we were notified that a file containing a list of about 500 user IDs and encrypted passwords was being distributed through the public internet. The data accessed included the user login ID, the user email and the user’s password in encrypted format. The login data exposed DOES NOT PROVIDE ACCESS TO ANY OF THE EV Reach SERVICES.

How Severe is the Incident?

Upon investigation, we resolved that these IDs/Passwords were those registered by users of our community blog, which is hosted by WordPress.These IDs/Passwords are registered when product features are requested or comments on articles are posted. These IDs/Passwords do not provide access to any of the EV Reach Services. Please rest assured, that the EV Reach IT Support Solution, being an On-Premise solution, is very secure. Access credentials and security information never leave our client’s private infrastructure. Our company does not store privileged account information that could be consumed by malicious actors to access your company’s systems.

Recommendations for Affected Individuals

Even though these passwords are encrypted, and the login IDs cannot be used to access remote systems via EV Reach, it’s possible for people to exploit this information. For this reason, we advise you to change your password in all other platforms that may have been configured with the same password.Additionally, the email addresses may be used in phishing campaigns. Phishing attacks are the practice of sending fraudulent communications to obtain sensitive information such as credit card details and login credentials, by disguising as a trustworthy organization or reputable person in an email communication. Phishing emails are very common and are easily recognizable to the aware eye. For examples of such emails, visit: https://www.phishing.org/phishing-examples .

Actions Taken by EV Reach Following the Discovery of the Breach

EV Reach values your privacy and deeply regrets that this incident occurred. EV Reach is conducting a thorough review of all areas where our customer’s information may be exposed, and we are implementing security measures designed to prevent further occurrences of such security breaches.The community login IDs that were breached and published are non-critical to the services that we provide. Consequently, we will be resetting their passwords or deleting them completely. These actions will trigger further email notifications warning you that your password was changed, or account removed. Please do not be alarmed by their notifications at they are expected.Note: The modification or removal of community login data will not affect the proper functioning of the EV Reach Services.

Questions about this Notice

If you want further information and assistance, please contact our support department at +1 305 442 4788 between 9 a.m.- 6 p.m. EST, or visit our website

Security Advisory GOVSA.2019.1028.2 - Symbolic Link Hack

Advisory IDGOVSA.2019.1028.2
Vulnerability TypeCWE-65 Windows Hard Link (leads to Command Injections / Local Privilege Escalation)
Issue Date2019-10-28
Updated On2019-10-28 (Initial Advisory)
ApplicationEV Reach (Agent)
Affected VersionsEV Reach Console v9.20 and earlier EV Reach Client Agent v9.20.02 and earlier
SeverityMedium
Vulnerability StatusUpdate Released

Summary

CVE.pngA vulnerability has been reported which allows a malicious actor to generate arbitrary files in any location within the local system, including within protected areas. This exploit can be used in conjunction with a DLL hijacking exploit and result in privilege escalation.
Vulnerability TypeRemotely ExploitableImpact
Command InjectionNoPossible Local Code Execution
Local Privilege EscalationNoPossible Escalation from Standard User to Local Administrative Privileges

Relevant Products

This exploit is exposed by the EV Reach Agent process: GovAgentx64.exe and GovAgent.exe versions 9.20.02 and earlier.These EV Reach Client Agent are distributed on remote machine via the EV Reach Console and EV Reach Server versions 9.20 and 3.20 and earlier respectively.

Remediation

ProductAction
EV Reach Console v9.20.XX and earlierUpdate to v9.50 or later
EV Reach Server v3.20.XX and earlierUpdate to v3.50 or later
EV Reach Client Agent v9.20.02Update to v9.20.50 or later

Contacts

For further information about this security advisory, or to send us a security alert, please contact security(@)goverlan.com.

Security Advisory GOVSA.2019.1028.1 - Untrusted Search Path

Advisory IDGOVSA.2019.1028.1
Vulnerability TypeCWE-426 Untrusted Search Path (leads to Command Injections / Local Privilege Escalation)
Issue Date2019-10-28
Updated On2019-10-28 (Initial Advisory)
ApplicationEV Reach (Agent)
Affected VersionsEV Reach Client Agent v9.20.02 and earlier EV Reach Console v9.20 and earlier EV Reach Server v3.20 and earlier
SeverityHigh
Vulnerability StatusUpdate Released

Summary

CVE.pngA vulnerability has been reported which allows a malicious actor to elevate his/her local privilege on a Windows system equipped with the EV Reach Agents. This exploit uses DLL Hijacking which allows a customized DLL to be ran with elevated privileges by the EV Reach Agent GovAgentx64.exe.
Vulnerability TypeRemotely ExploitableImpact
Command InjectionNoPossible Local Code Execution
Local Privilege EscalationNoPossible Escalation from Standard User to Local Administrative Privileges

Relevant Products

This exploit is exposed by the EV Reach Agent process: GovAgentx64.exe and GovAgent.exe versions 9.20.02 and earlier.These EV Reach Client Agent are distributed on remote machine via the EV Reach Console and EV Reach Server versions 9.20 and 3.20 and earlier respectively.

Remediation

ProductAction
EV Reach Console v9.20.XX and earlierUpdate to v9.50 or later
EV Reach Server v3.20.XX and earlierUpdate to v3.50 or later
EV Reach Client Agent v9.20.02Update to v9.20.50 or later

Contacts

For further information about this security advisory, or to send us a security alert, please contact security(@)goverlan.com.

Acknowledgement

EV Reach would like to thank author PovlTekstTV for reporting this issue to us.

Security Advisory GOVSA.2022.0506.1 - Temporary disabling and enabling of the Windows Firewall during a remote EV Reach Agent update

Advisory IDGOVSA.2022.0506.1
Vulnerability TypeCWE-1038 Insecure Automated Optimizations
Issue Date2022-05-16
Updated On2022-05-06 (Initial Advisory)
ApplicationEV Reach (Agent)
Affected VersionsEV Reach Console v10.5.0 and earlier EV Reach Client Agent v10.1.10 and earlier
SeverityMedium
Vulnerability StatusUpdate Released
CVE StatusSubmitted - CVE Record | CVE

Summary

CVE.pngThe Windows Firewall is temporarily turned off upon a EV Reach agent update operation in EV Reach Management Console v10.5.0, EV Reach Server v3.70.0 and earlier versions, which allows remote attackers to bypass firewall blocking rules for a time period up to 30 seconds.
Vulnerability TypeRemotely exploitableImpact
Insecure Automated OptimizationsNoA remote system loses Windows Firewall protection for up to 30 seconds.

Detection

This behavior can be detected by the presence of one Windows Event that is not accompanied by a EV Reach Audit Event. If both events are present, the action was performed using the EV Reach consoles feature. If the Firewall Event ID 2003 is the only event present and the Modifying Application is GovAgent64.exe then this vulnerability is present.The Windows Event viewer records Event ID 2003 when the Windows Firewall has been enabled or disabled.
06052022_1 FirewallDisable.png
The EV Reach Console allows an operator to disable the Windows Firewall if the operator has the appropriate Windows permissions to do so. When the Firewall is disabled via an administrative action, the endpoint event viewer will log Event ID 6549 with the details of the action listed in the Event.
06052022_1 FirewallAudit.png

EV Reach Auditing

The EV Reach Agents are designed to monitor all configuration changes that are performed on a system by EV Reach Operators. All audits are contained in the Windows Event Viewer of the endpoint system. We recommended using a SEIM product at the endpoint to detect EV Reach related events. See EV Reach Auditing for more information.

Relevant Products

This vulnerability is exposed by the EV Reach Agent process: GovAgentx64.exe and GovAgent.exe versions 10.1.10 and earlier.These EV Reach Client Agent are distributed on remote machine via the EV Reach Console and EV Reach Server versions 10.5.0 and 3.70.0 and earlier respectively.

Remediation

ProductAction
EV Reach Console v10.5.0 and earlierUpdate to v10.5.1 or later
EV Reach Server v3.70.0 and earlierUpdate to v3.70.1 or later
EV Reach Client Agent v10.1.10 and earlierUpdate to v10.1.11 or later

Contacts

For further information about this security advisory, or to send us a security alert, please contact security(@)goverlan.com.
Tags:
Powered by XWiki © EasyVista 2024