CVE-2019-8385 – CVE-2019-8385 is an unauthenticated directory t... (How to Fix)

Q: What is the severity of CVE-2019-8385?

CVE-2019-8385 has a CVSS score of 9.8 (CRITICAL). CVE-2019-8385 is an unauthenticated directory traversal and local file inclusion vulnerability in Thomson Reuters Desktop Extensions. It allows remote attackers to read sensitive files, potentially leading to privilege escalation and remote code execution. Organizations using affected versions of Thomson Reuters Desktop Extensions are at risk.

📋 TL;DR

CVE-2019-8385 is an unauthenticated directory traversal and local file inclusion vulnerability in Thomson Reuters Desktop Extensions. It allows remote attackers to read sensitive files, potentially leading to privilege escalation and remote code execution. Organizations using affected versions of Thomson Reuters Desktop Extensions are at risk.

💻 Affected Systems

Products:

Thomson Reuters Desktop Extensions

Versions: 1.9.0.358

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability affects ThomsonReuters.Desktop.Service.exe and ThomsonReuters.Desktop.exe components listening on port 6677.

📦 What is this software?

Concourse Matter Room by Thomsonreuters

View all CVEs affecting Concourse Matter Room →

Firm Central Desktop by Thomsonreuters

View all CVEs affecting Firm Central Desktop →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to full system compromise, credential theft via SAM/SYSTEM database dumping, and lateral movement within the network.

🟠

Likely Case

Unauthenticated attackers reading sensitive files, potentially exposing credentials, configuration files, and other confidential data.

🟢

If Mitigated

Limited impact with proper network segmentation and access controls preventing external exploitation.

🌐 Internet-Facing: HIGH - The vulnerability is exploitable over port 6677 without authentication, making internet-facing systems extremely vulnerable.

🏢 Internal Only: HIGH - Even internally, the vulnerability allows unauthenticated attackers to traverse directories and read sensitive files.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only network access to port 6677 and uses simple directory traversal sequences.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version after 1.9.0.358

Vendor Advisory: https://www.thomsonreuters.com/en/products-services.html

Restart Required: Yes

Instructions:

1. Contact Thomson Reuters support for updated version. 2. Download and install the patched version. 3. Restart affected services and systems.

🔧 Temporary Workarounds

Block Port 6677

windows

Block inbound traffic to port 6677 at network perimeter and internally where possible.

netsh advfirewall firewall add rule name="Block TR Port 6677" dir=in action=block protocol=TCP localport=6677

Restrict Service Access

windows

Configure Windows Firewall to restrict access to Thomson Reuters services to trusted IPs only.

netsh advfirewall firewall add rule name="Restrict TR Service" dir=in action=allow protocol=TCP localport=6677 remoteip=192.168.1.0/24

🧯 If You Can't Patch

Implement strict network segmentation to isolate affected systems from untrusted networks.
Deploy application control solutions to prevent unauthorized execution of Thomson Reuters binaries.

🔍 How to Verify

Check if Vulnerable:

Check if ThomsonReuters.Desktop.Service.exe or ThomsonReuters.Desktop.exe version 1.9.0.358 is running and listening on port 6677.

Check Version:

wmic product where "name like 'Thomson Reuters%'" get version

Verify Fix Applied:

Verify the software version is updated beyond 1.9.0.358 and test directory traversal attempts are blocked.

📡 Detection & Monitoring

Log Indicators:

Unusual access patterns to port 6677
Failed directory traversal attempts in application logs
Multiple requests with '..' sequences

Network Indicators:

Unusual traffic to port 6677 from untrusted sources
HTTP-like requests containing '..' patterns

SIEM Query:

source_port=6677 AND (uri="*..*" OR user_agent="*..*")

📊 Metadata

CVE ID: CVE-2019-8385

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-22

Published: June 5, 2019

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/152298/Thomson-Reuters-Concourse-And-Firm-Central-Local-File-Inclusion-Directory-Traversal.html Exploit,Third Party Advisory,VDB Entry
https://www.thomsonreuters.com/en/products-services.html Vendor Advisory
http://packetstormsecurity.com/files/152298/Thomson-Reuters-Concourse-And-Firm-Central-Local-File-Inclusion-Directory-Traversal.html Exploit,Third Party Advisory,VDB Entry
https://www.thomsonreuters.com/en/products-services.html Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-8385, you might also want to check these: