Elevation of Privilege Vulnerability in Origin Client
EASEC-2019-001
Severity: Important
CVSS Score: 8.4
Impact: Elevation of Privilege
Status: Fixed
Affected Software: Origin for Mac & PC version 10.5.55.33574 (or earlier)
Description
Two vulnerabilities exist in the Origin Client Service for PC and Mac versions 10.5.55.33574 and earlier that could allow a non-Administrative user to elevate their access to System. Once the user has obtained elevated access, they may be able to take control of the system and perform actions otherwise reserved for high privileged users or system Administrators.
Attack Scenario
To successfully leverage the vulnerability, the attacker needs have the valid user credentials with the ability to log-on to the computer that has the Origin Client installed. Upon successfully logging in the attacker would then need to be able to install a specially crafted program or execute code that modifies the contents of affected Origin install directories. They would then need to stop and restart the Origin Client.
Mitigations
Mitigations describe factors that limit the likelihood or impact of an attacker successfully leveraging the vulnerability
- A successful attack would require the user of a valid account on the local machine with the Origin Client installed.
Workarounds
Workarounds are steps EA customers can take to reduce the potential for an attacker to leverage the vulnerability if they cannot or choose not to install the update.
- In order to temporarily limit the likelihood of the vulnerability being executed by non-privileged users, the system Administrator may choose to remove the local login rights or disable non-administrator accounts.
Resolution
To address the vulnerability players with Administrator rights are advised to install the latest version of the Origin Client version 10.5.56.33908 (or greater).
Upon installing the updated version of the Origin client an Administrator must then enable “Restricted User Mode” from within the Origin Client. Additional details on how to enable “Restricted User Mode” can be found here.
Frequent Asked Questions:
How is Issue Severity Determined?
Issue severity is based on a 4-point scale ranging from Critical to Low. As part of our investigation, security engineers determine the overall ease of exploitation and how an attacker would need to successfully exploit the vulnerability. Typically, the fewer barriers that exist to exploitation combined with a higher Security Impact, the higher the Issue Severity designation.
What is an Elevation of Privilege?
Elevation of Privilege is a type of vulnerably classification per the STRIDE security model that can be used to gain elevated access to resources that are normally from the application or user. The result is that the application or user has more privileges than intended by application developer or system administrator and can then perform unauthorized actions like changing the operating system configuration, changing user rights and permissions or access data on the operating system.
What causes the vulnerability?
The vulnerability is caused by overly permissive ACLs on system files leveraged by the Origin Client within its install directory.
How do I know if I am vulnerable?
If Origin client version 10.5.55.33574 or earlier is installed on the system, it is vulnerable to this issue.
How does the update resolve the vulnerability?
The update addresses the vulnerability by allowing Administrator users to limit access and ability for non-administrative users to make modifications. For more information on the update please see the following EA help Article.
Why isn’t “Restricted User Mode” enabled by default?
Based on the current architecture of the Origin client, by restricting access to system files used by the Origin services limits the use of some features for non-Administrative users. We’ve decided to allow system Administrators to balance the option of restricting these features against the likelihood of the vulnerability used based on their own deployments.
Has this vulnerability been used against EA’s customers?
No. At the time of publication of this advisory we are not aware of any attacks against EA’s players that leverage this vulnerability.
Acknowledgement(s)
EA thanks the following security researchers for their discovery and reporting it to us in accordance with Coordinated Vulnerability Disclosure practices:
- Vasily Kravetz of AMonitoring for reporting CVE-2019-19247 and CVE-2019-19248
- Matt Nelson for reporting CVE-2019-19248
Date Published: 12/10/2019
Version: 1.0