Release date

 

ReferencePROCALL-5150
Criticality

HIGH

CVSS-Score7.3 and 7.9

Description

The WiX function RemoveFolderEx allows users with restricted rights to delete protected directories via directory junctions when administrators run the installer (CVE-2024-29188).

The use of the insecure directory C:\Windows\Temp allows users with low privileges to place binaries that can later be executed with SYSTEM privileges (CVE-2024-29187).

Affected versions

This vulnerability affects all previously released versions of the installation programs of ProCall 8 Enterprise and ProCall 7 Enterprise (add-ons from the download package only) as well as MetaDirectory 6 Enterprise and ProCall Analytics 3

  • ProCall Enterprise 8.x (all sub-versions)
    • Installation program UCServer and add-ons (not ProCall Client)
  • ProCall Enterprise 7.x (add-ons only) (all sub-versions)
    • Installation programs of the add-ons EWS Calendar Replicator, SIP Proxy and XMPP Proxy (not UCServer and not ProCall Client)
  • MetaDirectory 6 Enterprise (all sub-versions)
    • Installation program
  • ProCall Analytics 3
    • Installation program

Versions with bug fixes

estos has already released updates with fixes for the vulnerability. Customers and partners can obtain the updates via the known channels and follow the normal update process.

End-of-life

Please note the following: If you are using older estos product versions that are no longer supported (End-of-Life has been reached), we strongly recommend updating your software to the current versions for security reasons.
This is because security patches are only regularly developed and made available for current software versions.