| Impact of Vulnerability | Allows users to execute arbitrary programs with SYSTEM permissions. |
| CVE Numbers | CVE20164288 |
| Severity Rating | High |
| CVSS v3 Base / Temporal Scores: |
Base: 8.8 , Temporal: 8.2 |
| Recommendations | Install or Update to latest BlueStacks Player |
| Affected Versions | All Versions |
| Location of Updated Software | http://www.bluestacks.com/download.html |
Description
CVE20164288.
A local privilege escalation vulnerability exists in BlueStacks App Player. The BlueStacks App
Player installer creates a registry key with weak permissions that allows users to execute
arbitrary programs with SYSTEM privileges.
● CVE20164288: Allows users to execute arbitrary programs with SYSTEM permissions.
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE20164288
Remediation
Go to the Product Downloads site and download the product.
Install the updated Bluestacks Player using the usual update path.
Workaround
None, Install the latest release
Acknowledgments
Discovered by Marcin ‘Icewall’ Noga of Cisco Talos. TALOSCAN0124
CVSS Scoring
| Base Score | 8.8 |
| Attack Vector (AV) | Advanced (A) |
| Attack Complexity (AC) | Low (L) |
| Privileges Required (PR | None (N) |
| User Interaction (UI) | None (N) |
| Scope (S) | Changed(C) |
| Confidentiality (C) | Low (L) |
| Integrity (I) | Low (L) |
| Availability (A) | Low (L) |
| Temporal Score (Overall) | 8.2 |
| Exploitability (E) | Functional (F) |
| Remediation Level (RL) | Official Fix (O) |
| Report Confidence (RC) | Confirmed (C) |
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C