CVE-2020-7352

EUVD-2020-28479

06.08.2020, 16:15

The GalaxyClientService component of GOG Galaxy runs with elevated SYSTEM privileges in a Windows environment. Due to the software shipping with embedded, static RSA private key, an attacker with this key material and local user permissions can effectively send any operating system command to the service for execution in this elevated context. The service listens for such commands on a locally-bound network port, localhost:9978. A Metasploit module has been published which exploits this vulnerability. This issue affects the 2.0.x branch of the software (2.0.12 and earlier) as well as the 1.2.x branch (1.2.64 and earlier). A fix was issued for the 2.0.x branch of the affected software.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	8.4 HIGH	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
rapid7	CNA	8.4 HIGH	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 93%

Affected Products (NVD)

Vendor	Product	Version
gog	galaxy	1.2.0 ≤ 𝑥 ≤ 1.2.64
gog	galaxy	2.0.0 ≤ 𝑥 ≤ 2.0.12

𝑥

= Vulnerable software versions

Known Exploits!

Common Weakness Enumeration

References

https://github.com/rapid7/metasploit-framework/pull/13444

https://www.positronsecurity.com/blog/2020-04-28-gog-galaxy-client-local-privilege-escalation/

https://github.com/rapid7/metasploit-framework/pull/13444

https://www.positronsecurity.com/blog/2020-04-28-gog-galaxy-client-local-privilege-escalation/