VDE-2022-015 | CERT@VDE

2022-04-27 14:00 (CEST) VDE-2022-015

Miele: Security vulnerability in Benchmark Programming Tool

Share: Email | Twitter

ID

VDE-2022-015

Published

2022-04-27 14:00 (CEST)

Last update

2022-04-27 17:06 (CEST)

Vendor(s)

Miele & Cie KG

Product(s)

Article No°	Product Name	Affected Version(s)
	Benchmark Programming Tool	<= 1.2.71

Summary

The Miele Benchmark Programming Tool on a Microsoft Windows operating system, selects a folder by default upon installation that is writable for all users (C:\\MIELE_SERVICE). After the installation of the tool, users without administrative privileges are able to exchange or delete executable files in this path.

CVE ID

CVE-2022-22521

Last Update:

30. August 2024 09:29

Severity

7.3 (CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H)

Weakness

Improper Privilege Management (CWE-269)

Summary

In Miele Benchmark Programming Tool with versions Prior to 1.2.71, executable files manipulated by attackers are unknowingly executed with users privileges. An attacker with low privileges may trick a user with administrative privileges to execute these binaries as admin.

Details

nvd.nist.gov

Solution

A new version (1.2.72) of the Benchmark Programming Tool, which closes the named vulnerability, is available for download on the Miele website: https://www.miele.de/p/miele-benchmark-programming-tool-2296.htm

Remediation

As a further risk-minimizing measure, the write permissions of the installation folder C:\\Miele_Service\\ Miele Benchmark Programming Tool can be adjusted so that an exchange of files is only possible with administrative permissions. This is also possible without reinstalling or updating the tool. The procedure for adjusting the permissions depends on the Microsoft Windows operating system environment used and in most cases requires administrative rights.

Reported by

CERT@VDE coordinated with Miele PSIRT

SEC Consult Vulnerability Lab identified and reported the vulnerability to Miele PSIRT.