CVE-2019-7656

low-risk
Published 2020-01-29

A privilege escalation vulnerability in Wowza Streaming Engine 4.8.0 and earlier allows any unprivileged Linux user to escalate privileges to root. The installer sets too relaxed permissions on /usr/local/WowzaStreamingEngine/bin/* core program files. By injecting a payload into one of those files, it will run with the same privileges as the Wowza server, root. For example, /usr/local/WowzaStreamingEngine/bin/tune.sh could be replaced with a Trojan horse. This issue was resolved in Wowza Streaming Engine 4.8.5.

Do I need to act?

-
0.08% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.8/10 High
LOCAL / LOW complexity

Affected Products (1)

Affected Vendors

Wowza

References (8)

Exploit https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2019-7656-PrivEscal...
Third Party Advisory https://raw.githubusercontent.com/WowzaMediaSystems/public_cve/main/wowza-stream...
Release Notes https://www.wowza.com/docs/wowza-streaming-engine-4-8-5-release-notes
Vendor Advisory https://www.wowza.com/pricing/installer
Exploit https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2019-7656-PrivEscal...
Third Party Advisory https://raw.githubusercontent.com/WowzaMediaSystems/public_cve/main/wowza-stream...
Release Notes https://www.wowza.com/docs/wowza-streaming-engine-4-8-5-release-notes
Vendor Advisory https://www.wowza.com/pricing/installer
29
/ 100
low-risk
Severity 24/34 · High
Exploitability 0/34 · Minimal
Exposure 5/34 · Minimal