Vulnerability Notice - LogMeIn / GoTo

See all Vulnerability notices

CVE NUMBER

Not yet requested.

CVSS SCORE

7.3 - CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

SUMMARY

Our reverse engineering team discovered a kernel handle leak vulnerability in the latest version of LogMeIn. The vulnerability can be ubused for, for example, privilege escalation on a local system. The vulnerability has been reported to LogMeIn / GoTo via our Coordinated Vulnerability Disclosure (CVD) program.

Impacted Versions

At least the following version is affected (and likely also lower versions).

• LMIInfo.sys kernel driver version 11.1.0.3220. This driver is included in software version 4.1.15370, published on the 22nd of February 2024.

DETAILS

The vulnerable component is LMIInfo.sys, a kernel driver that facilitates remote desktop services. There are two kernel handle leaks present in the driver, which can be triggered from a low-privileged user context. This is due to the driver device being accessible by everyone on the local system. The kernel handle leak can be abused to obtain privilege escalation by abusing existing handles in the System (PID 4) process.

TIMELINE

• 28-02-2023 - Initial notice to and request for security contact.
• 28-02-2023 - First reply from GoTo security team requesting more information.
• 28-02-2023 - Sent full vulnerability details to GoTo security team.
• 28-05-2023 - Planned public release of our blog post.

REFERENCE

GoTo / LogMeIn software: https://support.logmeininc.com/pro/help/whats-new-in-pro

CREDIT

Discovered by Tijme Gommers, Jan-Jaap Korpershoek and Alex Oudenaarden of Northwave Cyber Security

Disclaimer