XAML code injection execution in clients running Command Client
| CVE | CVE-2019-9163 |
| Advisory Summary | XAML code injection execution in clients running Command Client |
| Products or Components | Command Client |
| Addressed in Release | Command Client 2.7.2 |
| Severity | Critical |
| Ticket | MNS-2287 |
Description
When Command Client initiates a connection to Command Enterprise Software or to a recorder (including the Command Recording Software), it downloads and executes some XAML objects used to render part of the interface, and provide disclaimers and terms of services. These XAML objects may be used as an attack vector, in affected versions of Command Client, to run malicious code in the system where the Command Client is used.
Impact
A rogue Command Enterprise Software or recorder (including the Command Recording Software) may inject malicious code in the downloaded XAML, or a man in the middle may intercept a valid one, replacing it.
Affected versions of Command Client execute the XAML, leading access to the system where the Command Client is used, exposing its file system and allowing malicious code execution. Said access is limited to the rights of the user that launched Command Client.
Mitigations
The impact of the vulnerability may be mitigated if the network infrastructure is protected against the presence of malicious services acting as Command Enterprise Software or a recorder (including the Command Recording Software), and the presence of man in the middle attacks.
A closed network infrastructure will be protected from attacks coming from outside, while for the ones that may arise from inside, the risk could be mitigated by using 802.1x certificates, supported in our solution, to authenticate the access to the network.
Solution
Upgrade the Command Client to at least the fixed release. The latest release is available for download from the March Networks website or from the March Networks Partner Portal.
Upgrading Command Enterprise Software to at least 2.7.2 and Command Recording Software to at least 2.8.0 will automatically enforce the usage of the corresponding client release.
On our Partner Portal, customers using Command Enterprise Software 2.6.5, 2.7.0 or 2.7.1 will find a Command Client 2.7.2 update utility to enforce and distribute Command Client 2.7.2 from the CES.
Downloads
The latest client release is available on the March Networks website here: https://www.marchnetworks.com/software-downloads/
All of our supported software releases are also available on the March Networks Partner Portal here: https://partners.marchnetworks.com/support/command-software/command-client/
Credits
March Networks would like to acknowledge Joachim Kerschbaumer for reporting this vulnerability to our attention.
Revision
March 23, 2020 – Initial public report
Disclaimer
March Networks’ assessment of this security vulnerability is contingent on the March Networks products being updated to the recommended release and/or security patch level and that the system has been deployed and configured, in accordance to March Networks security recommendations and industry best practices. IT IS THE CUSTOMER’S RESPONSIBILITY TO EVALUATE THE EFFECT OF ANY SECURITY VULNERABILITY. A failure to update March Networks products and/or to follow March Networks recommendations or industry best practices may increase the risk associated with a security vulnerability.
March Networks follows industry leading practices in addressing security vulnerabilities in our products. While March Networks cannot guarantee that our products will be free from security vulnerabilities, we are committed to providing updates and security fixes, for our supported products, if and when a high security vulnerability is determined to affect March Networks products.