Headline
CVE-2023-41138: 2023-11 security advisory
The AppsAnywhere macOS client-privileged helper can be tricked into executing arbitrary commands with elevated permissions by a local user process.
Your trust in our products and service means the world to us, and we are committed to being proactive and keeping you informed about any security updates to our software.
As part of this proactive stance, we have released security updates for AppsAnywhere Server 2.11, 2.12, 3.0 and 3.1 (patch AA-5085) and AppsAnywhere Client (1.6.1, 2.0.1). These new releases resolve two security issues (CVE-2023-41138 / CVE-2023-41137) and we recommend all customers who haven’t already applied these updates to do so by contacting our support team.
Below are the details of these two issues identified.
AppsAnywhere macOS Client - CVE-2023-41138 - Bad privilege assignment
Summary
The AppsAnywhere macOS client-privileged helper can be tricked into executing arbitrary commands with elevated permissions by a local user process.
Advisory release date
2023-11-09
Product
AppsAnywhere Client
Affected versions
AppsAnywhere macOS client v1.4.0
AppsAnywhere macOS client v1.4.1
AppsAnywhere macOS client v1.5.1
AppsAnywhere macOS client v1.5.2
AppsAnywhere macOS client v1.6.0
AppsAnywhere macOS client v2.0.0
Fixed versions
AppsAnywhere Windows client v1.6.1
AppsAnywhere Windows client v2.0.1
AppsAnywhere Windows client v2.2.0 or later
AppsAnywhere macOS client v1.6.1
AppsAnywhere macOS client v2.0.1
AppsAnywhere macOS client v2.2.0 or later
CVE ID(s)
CVE-2023-41138
CVSS
7.5 (High) - CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
Discovered by
Gaelan Steele
AppsAnywhere Client - CVE-2023-41137 - Cryptographic error
Summary
Symmetric encryption used to protect messages between the AppsAnywhere server and client can be broken by reverse engineering the client and used to impersonate the AppsAnywhere server.
Advisory release date
2023-11-09
Product
AppsAnywhere Client
Affected versions
AppsAnywhere Windows client v1.4.0
AppsAnywhere Windows client v1.4.1
AppsAnywhere Windows client v1.5.1
AppsAnywhere Windows client v1.6.0
AppsAnywhere Windows client v2.0.0
AppsAnywhere macOS client v1.4.0
AppsAnywhere macOS client v1.4.1
AppsAnywhere macOS client v1.5.1
AppsAnywhere macOS client v1.5.2
AppsAnywhere macOS client v1.6.0
AppsAnywhere macOS client v2.0.0
Fixed versions
Fixed versions of the AppsAnywhere client require a compatible AppsAnywhere server version. Older server versions are incompatible.
Compatible server versions:
AppsAnywhere 2.11: 2.11 + patch AA-5085
AppsAnywhere 2.12: 2.12 + patch AA-5085
AppsAnywhere 3.0: 3.0 + patch AA-5085
AppsAnywhere 3.1: 3.1 + patch AA-5085
AppsAnywhere 3.2 and later
AppsAnywhere Windows client v1.6.1
AppsAnywhere Windows client v2.0.1
AppsAnywhere Windows client v2.2.0 or later
AppsAnywhere macOS client v1.6.1
AppsAnywhere macOS client v2.0.1
AppsAnywhere macOS client v2.2.0 or later
CVE ID(s)
CVE-2023-41137
CVSS
8.0 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Discovered by
Gaelan Steele