First published: 8 May 2023 (restricted disclosure)
Last update: 4 July 2023
ID: PDO06614
Affected Components: Fabasoft Folio / Fabasoft eGov-Suite 2021 UR3, Fabasoft Folio / Fabasoft eGov-Suite 2022 (incl. all URs), Fabasoft Folio/eGov-Suite 2023 (incl. UR1), Fabasoft Cloud
Severity: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H Total Score: 8,8 HIGH
Status: Final
CVEs: -
A privilege escalation is possible by an intruder on a Microsoft Windows client using the Fabasoft Folio/Cloud Client AutoUpdate-Service (installed with the Fabasoft Folio Client from Fabasoft Folio/eGov-Suite 2021 or the Fabasoft Cloud Enterprise Client).
Affected Fabasoft Folio / Fabasoft eGov-Suite versions:
Versions below Fabasoft Folio / eGov-Suite 2021 Update Rollup 3 are not affected.
Linux and Apple macOS clients are not affected.
In the case the vulnerability could be exploited, malicious software can be installed and executed on the client PC.
Fabasoft provides a hotfix for the Fabasoft Folio Client for the affected Fabasoft Folio / eGov-Suite versions. Please install/roll-out this hotfix immediately. If it is not possible to immediately update the Fabasoft Folio Client, see the possible workaround to disable the Fabasoft Folio Client Update Service below.
The current download of the Fabasoft Cloud Client from the Fabasoft Cloud already includes the hotfixed version of the Fabasoft Cloud Client.
If the Fabasoft Cloud Client is already installed, the update to the hotfixed version is triggered automatically.
Fabasoft provides the hotfixed Fabasoft Folio Client for the affected versions in the following teamroom:
https://at.cloud.fabasoft.com/folio/public/3rz6bra2xcba40s6gt5fishghl
Only the Fabasoft Folio Client on Windows PCs needs to be updated. There is no need to update the Fabasoft Folio / eGov-Suite domain.
The following Fabasoft Folio Client build numbers include the correction:
The affected part of the Fabasoft Folio Client is the Fabasoft Folio Client Update Service, that is installed during the Fabasoft Folio Client installation.
This service is listed under Windows Services as
Set the service startup type to "Disabled" via Group Policy. By disabling these services, the security vulnerability cannot be exploited.
The Fabasoft Folio Client Update Service may not be installed or enabled on your clients, therefore the vulnerability cannot be exploited. Nevertheless we recommend to update the Fabasoft Folio Client.