Client AutoUpdate Harmful Code Installation Vulnerability (FSC33251)
ID: FSC33251
Affected Components: Fabasoft Folio / Fabasoft eGov-Suite 2021 UR3, Fabasoft Folio / Fabasoft eGov-Suite 2022, Fabasoft Business Process Cloud
Severity: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H Total Score: 8,8 HIGH
Status: Final
First published: 21.04.2022
CVEs: -
Summary
A privilege escalation is possible by an intruder on a Microsoft Windows client using the Fabasoft Folio/Cloud Client AutoUpdate-Service (installed with the Fabasoft Folio Client from Fabasoft Folio/eGov-Suite 2021 or the Fabasoft Cloud Enterprise Client).
Affected Fabasoft Folio / Fabasoft eGov-Suite versions:
- Fabasoft Folio / eGov-Suite 2021 Update Rollup 3
- Fabasoft Folio / eGov-Suite 2022
- Fabasoft Business Process Cloud
Versions below Fabasoft Folio / eGov-Suite 2021 Update Rollup 3 are not affected.
Linux and Apple macOS clients are not affected.
Impact
In the case the vulnerability could be exploited, malicious software can be installed and executed on the client PC.
Remediation
Fabasoft provides a hotfix for the Fabasoft Folio Client for the affected Fabasoft Folio / eGov-Suite versions. Please install/roll-out this hotfix immediately. If it is not possible to immediately update the Fabasoft Folio Client, see the possible workaround to disable the Fabasoft Folio Client Update Service below.
Fabasoft Business Process Cloud
The current download of the Fabasoft Cloud Client from the Fabasoft Business Process Cloud already includes the hotfixed version of the Fabasoft Cloud Client.
If the Fabasoft Cloud Client is already installed, the update to the hotfixed version is triggered automatically.
Hotfix information Fabaosoft Folio / Fabasoft eGov-Suite
Fabasoft provides the hotfixed Fabasoft Folio Client for the affected versions in the following teamroom:
https://at.cloud.fabasoft.com/folio/public/0vmm5s2yvqt5p0pryhjkscvi57
Only the Fabasoft Folio Client on Windows PCs needs to be updated. There is no need to update the Fabasoft Folio / eGov-Suite domain.
The following Fabasoft Folio Client build numbers include the correction:
-
22.4.0.45 and above
-
22.2.0.32 and above
- 22.0.0.80 and above
- 21.1.3.55 and above
The correction is already included in the release kits of following versions:
- Fabasoft Folio / eGov-Suite 2022 Update Rollup 1 (22.0.1.x) and higher Update Rollup versions
- Fabasoft eGov-Suite 2022 April Release (from 22.4.0.x) and higher Feature Track versions
- Fabasoft Folio (22.5.0.x) and higher versions
Workaround: Disable Fabasoft Folio Client Update Service
The affected part of the Fabasoft Folio Client is the Fabasoft Folio Client Update Service, that is installed during the Fabasoft Folio Client installation.
This service is listed under Windows Services as
- "Fabasoft Folio Client 2022 Update Service", service name is "folioupdatepm22".
- "Fabasoft Folio Client 2021 Update Service", service name is "folioupdatepm21".
Set the service startup type to "Disabled" via Group Policy. By disabling these services, the security vulnerability cannot be exploited.