Vulnerabilities 2023Permanent link for this heading

Client AutoUpdate Harmful Code Installation Vulnerability (PDO06614) Permanent link for this heading

First published: 8 May 2023 (restricted disclosure)

Last update: 4 July 2023

ID: PDO06614

Affected Components: Fabasoft Folio / Fabasoft eGov-Suite 2021 UR3, Fabasoft Folio / Fabasoft eGov-Suite 2022 (incl. all URs), Fabasoft Folio/eGov-Suite 2023 (incl. UR1), Fabasoft Cloud

Severity: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H Total Score: 8,8 HIGH

Status: Final

CVEs: -

Summary Permanent link for this heading

A privilege escalation is possible by an intruder on a Microsoft Windows client using the Fabasoft Folio/Cloud Client AutoUpdate-Service (installed with the Fabasoft Folio Client from Fabasoft Folio/eGov-Suite 2021 or the Fabasoft Cloud Enterprise Client).

Affected Fabasoft Folio / Fabasoft eGov-Suite versions:

  • Fabasoft Folio / eGov-Suite 2021 Update Rollup 3
  • Fabasoft Folio / eGov-Suite 2022 (up to Update Rollup 3 and Feature Track)
  • Fabasoft Folio / eGov-Suite 2023 (up to Update Rollup 1)
  • Fabasoft Cloud

Versions below Fabasoft Folio / eGov-Suite 2021 Update Rollup 3 are not affected.

Linux and Apple macOS clients are not affected.

Impact Permanent link for this heading

In the case the vulnerability could be exploited, malicious software can be installed and executed on the client PC.

Remediation Permanent link for this heading

Fabasoft provides a hotfix for the Fabasoft Folio Client for the affected Fabasoft Folio / eGov-Suite versions. Please install/roll-out this hotfix immediately. If it is not possible to immediately update the Fabasoft Folio Client, see the possible workaround to disable the Fabasoft Folio Client Update Service below.

Fabasoft Cloud Permanent link for this heading

The current download of the Fabasoft Cloud Client from the Fabasoft Cloud already includes the hotfixed version of the Fabasoft Cloud Client.

If the Fabasoft Cloud Client is already installed, the update to the hotfixed version is triggered automatically.

Hotfix information Fabasoft Folio / Fabasoft eGov-Suite Permanent link for this heading

Fabasoft provides the hotfixed Fabasoft Folio Client for the affected versions in the following teamroom:

https://at.cloud.fabasoft.com/folio/public/3rz6bra2xcba40s6gt5fishghl

Only the Fabasoft Folio Client on Windows PCs needs to be updated. There is no need to update the Fabasoft Folio / eGov-Suite domain.

The following Fabasoft Folio Client build numbers include the correction:

  • 23.4.0.66 and above
  • 23.0.1.23 and above
  • 22.9.0.75 and above
  • 22.0.3.88 and above
  • 21.1.3.204 and above

Workaround: Disable Fabasoft Folio Client Update Service Permanent link for this heading

The affected part of the Fabasoft Folio Client is the Fabasoft Folio Client Update Service, that is installed during the Fabasoft Folio Client installation.

This service is listed under Windows Services as

  • "Fabasoft Folio Client 2023 Update Service", service name is "folioupdatepm23".
  • "Fabasoft Folio Client 2022 Update Service", service name is "folioupdatepm22".
  • "Fabasoft Folio Client 2021 Update Service", service name is "folioupdatepm21".

Set the service startup type to "Disabled" via Group Policy. By disabling these services, the security vulnerability cannot be exploited.

The Fabasoft Folio Client Update Service may not be installed or enabled on your clients, therefore the vulnerability cannot be exploited. Nevertheless we recommend to update the Fabasoft Folio Client.