Client AutoUpdate Harmful Code Installation Vulnerability (FSC33251)

Last update: 25 April 2022

ID: FSC33251

Affected Components: Fabasoft Folio / Fabasoft eGov-Suite 2021 UR3, Fabasoft Folio / Fabasoft eGov-Suite 2022, Fabasoft Business Process Cloud

Severity: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H Total Score: 8,8 HIGH

Status: Final

First published: 21.04.2022

CVEs: -

Summary

A privilege escalation is possible by an intruder on a Microsoft Windows client using the Fabasoft Folio/Cloud Client AutoUpdate-Service (installed with the Fabasoft Folio Client from Fabasoft Folio/eGov-Suite 2021 or the Fabasoft Cloud Enterprise Client).

Affected Fabasoft Folio / Fabasoft eGov-Suite versions:

  • Fabasoft Folio / eGov-Suite 2021 Update Rollup 3
  • Fabasoft Folio / eGov-Suite 2022
  • Fabasoft Business Process Cloud

Versions below Fabasoft Folio / eGov-Suite 2021 Update Rollup 3 are not affected.

Linux and Apple macOS clients are not affected.

Impact

In the case the vulnerability could be exploited, malicious software can be installed and executed on the client PC.

Remediation

Fabasoft provides a hotfix for the Fabasoft Folio Client for the affected Fabasoft Folio / eGov-Suite versions. Please install/roll-out this hotfix immediately. If it is not possible to immediately update the Fabasoft Folio Client, see the possible workaround to disable the Fabasoft Folio Client Update Service below.

Fabasoft Business Process Cloud

The current download of the Fabasoft Cloud Client from the Fabasoft Business Process Cloud already includes the hotfixed version of the Fabasoft Cloud Client.

If the Fabasoft Cloud Client is already installed, the update to the hotfixed version is triggered automatically. 

Hotfix information Fabaosoft Folio / Fabasoft eGov-Suite 

Fabasoft provides the hotfixed Fabasoft Folio Client for the affected versions in the following teamroom:

https://at.cloud.fabasoft.com/folio/public/0vmm5s2yvqt5p0pryhjkscvi57

Only the Fabasoft Folio Client on Windows PCs needs to be updated. There is no need to update the Fabasoft Folio / eGov-Suite domain. 

 

The following Fabasoft Folio Client build numbers include the correction: 

  • 22.4.0.45 and above

  • 22.2.0.32 and above

  • 22.0.0.80 and above
  • 21.1.3.55 and above

The correction is already included in the release kits of following versions:

  • Fabasoft Folio / eGov-Suite 2022 Update Rollup 1 (22.0.1.x) and higher Update Rollup versions
  • Fabasoft eGov-Suite 2022 April Release (from 22.4.0.x) and higher Feature Track versions
  • Fabasoft Folio (22.5.0.x) and higher versions
Workaround: Disable Fabasoft Folio Client Update Service

The affected part of the Fabasoft Folio Client is the Fabasoft Folio Client Update Service, that is installed during the Fabasoft Folio Client installation.

This service is listed under Windows Services as 

  • "Fabasoft Folio Client 2022 Update Service", service name is "folioupdatepm22".
  • "Fabasoft Folio Client 2021 Update Service", service name is "folioupdatepm21".

Set the service startup type to "Disabled" via Group Policy. By disabling these services, the security vulnerability cannot be exploited.