Vulnerability Name:

CVE-2007-0603 (CCN-31830)

Assigned:2007-01-25
Published:2007-01-25
Updated:2018-10-16
Summary:PGP Desktop before 9.5.1 does not validate data objects received over the (1) \pipe\pgpserv named pipe for PGPServ.exe or the (2) \pipe\pgpsdkserv named pipe for PGPsdkServ.exe, which allows remote authenticated users to gain privileges by sending a data object representing an absolute pointer, which causes code execution at the corresponding address.
CVSS v3 Severity:9.0 Critical (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): Required
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
CVSS v2 Severity:7.1 High (CVSS v2 Vector: AV:N/AC:H/Au:S/C:C/I:C/A:C)
5.6 Medium (Temporal CVSS v2 Vector: AV:N/AC:H/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): High
Authentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
9.0 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C)
7.1 High (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
Vulnerability Type:CWE-Other
Vulnerability Consequences:Gain Privileges
References:Source: CCN
Type: BugTraq Mailing List, Thu Jan 25 2007 - 16:30:50 CST
Medium Risk Vulnerability in PGP Desktop

Source: VULNWATCH
Type: UNKNOWN
20070125 Medium Risk Vulnerability in PGP Desktop

Source: MITRE
Type: CNA
CVE-2007-0603

Source: OSVDB
Type: UNKNOWN
32969

Source: OSVDB
Type: UNKNOWN
32970

Source: CCN
Type: SA23938
PGP Desktop Service Code Execution Vulnerability

Source: SECUNIA
Type: Vendor Advisory
23938

Source: SREASON
Type: UNKNOWN
2203

Source: CCN
Type: SECTRACK ID: 1017563
PGP Desktop Input Validation Flaw in PGPServ.exe/PGPsdkServ.exe Services Lets Local Users Gain LocalSystem Privileges

Source: SECTRACK
Type: UNKNOWN
1017563

Source: CCN
Type: US-CERT VU#102465
PGP Desktop service fails to validate user supplied data

Source: CERT-VN
Type: US Government Resource
VU#102465

Source: CCN
Type: NGSSoftware Insight Security Research Advisory, January 26th, 2007
Medium Risk Vulnerability in PGP Desktop

Source: MISC
Type: Vendor Advisory
http://www.ngssoftware.com/advisories/medium-risk-vulnerability-in-pgp-desktop/

Source: CCN
Type: OSVDB ID: 32969
PGP Desktop PGPsdkServ.exe Crafted Data Object Arbitrary Code Execution

Source: CCN
Type: OSVDB ID: 32970
PGP Desktop PGPServ.exe Crafted Data Object Arbitrary Code Execution

Source: CCN
Type: PGP Desktop Web site
PGP Corporation - Homepage

Source: BUGTRAQ
Type: UNKNOWN
20070125 Medium Risk Vulnerability in PGP Desktop

Source: BID
Type: UNKNOWN
22247

Source: CCN
Type: BID-22247
PGP Desktop Windows Service Remote Code Execution Vulnerability

Source: VUPEN
Type: UNKNOWN
ADV-2007-0356

Source: XF
Type: UNKNOWN
pgpdesktop-pgpserv-privilege-escalation(31830)

Vulnerable Configuration:Configuration 1:
  • cpe:/a:pgp:corporate_desktop:9.5:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    pgp corporate desktop 9.5