CVE-2022-36173 v4.4.0-4.4.3 FreshAgent and FreshService Linux Agent 3.4.0 are vulnerable to TLS Man-in-The-Middle via the FreshAgent client and scheduled update service.

This results in the attacker being able to read, modify, and/or delete data on the client machine. The FreshService update service is vulnerable to an issue where the server does not properly validate TLS certificates. This issue is called ‘’Certificate Revocation Failure’’ and can be caused by a number of things, but one of the main ones is an expired or invalid TLS certificate on the server. This results in the client machine receiving an error message stating that the connection to the server cannot be made. This can be especially dangerous for users of remote desktop software, such as Splashtop or TeamView where the attacker can now take over that session and start attacking the user directly. This issue affects FreshService Linux Agent  3.4.0 and FreshService macOS Agent  4.4.0 and is easily resolved by upgrading the server to version 3.4.1 or later.

FreshService Linux Agent 3.4.1

FreshService Linux Agent 3.4.1 has been released and the vulnerability CVE-2022-36173 fixed in this release. This should be applied to all Linux servers running FreshService.

What to do if you are affected?

If you have been affected by this issue, please contact our support team at support@freshservice.com

Timeline

Published on: 09/12/2022 21:15:00 UTC
Last modified on: 09/15/2022 04:12:00 UTC

References

• https://community.freshworks.com/product-updates/freshservice-release-notes-april-2022-23982#Security+updates:+Discovery+Probe+and+Discovery+Agent
• https://public-exposure.inform.social/post/integrity-checking/
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-36173