CISA warns of multiple critical vulnerabilities in MAXHUB Pivot Client Application, a widely used tool for managing interactive conference room displays, with active exploitation observed for a remote code execution flaw. Immediate patching is required to prevent system compromise.
CISA released an urgent security advisory for the MAXHUB Pivot Client Application. Multiple critical vulnerabilities affect the software. Attackers can execute remote code. Local privilege escalation is possible. Sensitive credentials are stored in cleartext. The application manages MAXHUB interactive conference room displays used globally in enterprises and schools.
Affected Product and Versions The vulnerabilities impact all versions of MAXHUB Pivot Client Application prior to 2.1.0. MAXHUB confirmed the issues affect Windows and macOS installations of the software. The Pivot Client allows users to create, edit, and share interactive display content, including presentations and digital whiteboards.
Vulnerability Details Four distinct vulnerabilities are tracked in the advisory, assigned CVE IDs and CVSS severity scores:
CVE-2023-3421: Improper Input Validation (CWE-20). CVSS v3.1 score 8.8 (High). Remote attackers can execute arbitrary code on target systems. This occurs when users open maliciously crafted project files within the application. No user interaction beyond opening the file is required.
CVE-2023-3422: Path Traversal (CWE-22). CVSS v3.1 score 7.5 (High). Remote unauthenticated attackers can read arbitrary files on the host system. Exploitation requires tricking a user into clicking a malicious link that triggers a file read operation. Attackers can steal configuration files, user data, and other sensitive content.
CVE-2023-3423: Insecure Permissions (CWE-269). CVSS v3.1 score 7.8 (High). Local attackers with low-level access can escalate privileges to SYSTEM. The application installs with overly permissive access control lists on core executable files. This allows any local user to modify or replace binaries with malicious code.
CVE-2023-3424: Cleartext Storage of Sensitive Information (CWE-312). CVSS v3.1 score 5.5 (Medium). The application stores user login credentials and API keys in unencrypted local configuration files. Any user with read access to the file system can extract these credentials. Stolen credentials can be used to access linked MAXHUB cloud services.
Timeline and Exploitation Status MAXHUB released version 2.1.0 of the Pivot Client Application on June 5, 2023. The update patches all four listed vulnerabilities. CISA added the advisory to its Known Exploited Vulnerabilities (KEV) Catalog on June 20, 2023. Active exploitation of CVE-2023-3421 has been observed in the wild. Federal agencies must apply patches by July 10, 2023 under Binding Operational Directive 22-01 (BOD 22-01).
Mitigation Steps MAXHUB and CISA recommend immediate action. Update to MAXHUB Pivot Client Application version 2.1.0 or later. The update is available via the MAXHUB Support Downloads page. Organizations that cannot update immediately should implement temporary mitigations. Restrict network access to the application to trusted IP ranges. Block users from opening untrusted project files from external sources. Audit local file permissions for the application installation directory. Rotate any credentials stored in local configuration files.
Read the full advisory at the CISA ICS Advisory page.
Comments
Please log in or register to join the discussion