Product: Stratusphere FIT/UX
Product Version: 6.6.0-1, 6.6.0-2
Expires on: 365 days from publish date
Updated: September 22, 2022
Applicable CVE: CVE-2020-14979
Problem:
Security vulnerabilities were identified within the 3rd party OpenHardwareMonitorLib.sys driver, which the Connector ID uses to obtain CPU temperatures from a wider variety of chipsets. This driver may allow read/write of arbitrary files.
Possible resolution:
NOTE:
Stratusphere no longer uses this library in version 6.7.0-5+. Please expedite migrating to the latest version of Stratusphere to address this and many other CVE's through this upgrade process:
In version 6.6.1, collecting CPU temp via OpenHardwareMonitorLib.sys is only enabled if an Admin explicitly does so in the Connector ID Key Settings page. Otherwise in the 6.6.1 release, CPU temp is collected strictly via WMI.
For version 6.6.0, you can add a local registry key to the machine running the CID and restart the CID services using the following elevated CMD. You may choose to use psexec to run across multiple machines :
REG ADD "HKLM\SOFTWARE\Wow6432Node\Liquidware Labs\ConnectorID" /v DisableWinRingDriver /t REG_DWORD /f /d 1
"C:\Program Files (x86)\Liquidware Labs\Connector ID\idcontrol.exe" stop
"C:\Program Files (x86)\Liquidware Labs\Connector ID\idcontrol.exe" start