Accessibility Skip to content

Plantronics Hub - Improper Access Control

Vulnerability Summary

A vulnerability in the Plantronics Hub updater system, if exploited, could allow an authenticated local attacker, to execute arbitrary code on an affected device as the Microsoft Windows SYSTEM account.

 

Details

CVE 2020-14941- Plantronics Hub – Local Privilege Escalation
A vulnerability in the Plantronics Hub updater system, if exploited, could allow an authenticated local attacker, to execute arbitrary code on an affected device as the Microsoft Windows SYSTEM account.

The vulnerability is due to overly broad signature acceptance for Poly signed binaries.  An attacker could exploit this vulnerability by executing commands or binaries with SYSTEM privileges.

Poly released a firmware update to address this vulnerability.  There is no workaround.

Published

Last Update: 3/9/2022
Initial Public Release: 6/10/2021
Advisory ID:  PLYAP21-07

CVE ID: CVE-2020-14941
CVSS Score: 8.8
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Product Affected
PRODUCTS FIRMWARE FIX
Plantronics Hub Desktop App

3.21 and prior

3.22 or later
Solution

Poly recommends customers upgrade to app version 3.22 or later. 

 

Workaround

There is no workaround.

Contact

Any customer using an affected system who is concerned about this vulnerability within their deployment should contact Poly Technical Support(888) 248-4143, (916) 928-7561, or visit the Poly Support Site.

 

RECOGNITION

Poly would like to thank Giuseppe from Redtimmy for reporting security vulnerabilities to us and for their coordinated disclosure.

Revision History
Version Date Description
1.0 6/10/2021 Initial Release
2.0 3/9/2022 Formatting Changes