[German]If you use the software 'Logitech Options' in Windows, you should update to version 7.00.564. The reason: older versions have a serious security vulnerability.
Advertising
Logitech offers a Windows software called 'Logitech Options' on this Logitech website to configure its mice and keyboards. But older versions are vulnerable.
Vulnerability in Logitech Options
Google security researcher Tavis Ormandy discovered a serious vulnerability in this software in September 2019. According to his description here the program registers under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run so that it is always executed.
At the same time, the application also opens a websocket server on port 10134 to which any website can connect. The web page could communicate with the service via port 10134 and send JSON-encoded commands. The websocket server has no check whether a web connection is allowed at all.
As a result, attackers can set up any Web page. Then commands could be sent to the Logitech Options software. The attacker only needs to know the process identifier (PID). However, this PID can be guessed by a brute force attack because the software allows any number of attempts.
Once the attacker has overcome this hurdle, he could take over remote control of the PC via the web by sending any commands into the system via Logitech Options. Tavis Ormandy writes that he has not found a way to tell Logitech about the vulnerability. Anyway, he didn't get any feedback on his mails to Logitech. Now that the 90-day lockout expired in December 2018, Ormandy has released the vulnerability.
Advertising
Logitech releases version 7.00.564
Shortly after Tavis Ormandy's article appeared here, Logitech released a new version 7.00.564 of Logitech Options. This version can be downloaded from this Logitech website. Tavis Ormandy writes that he is currently checking this version for the vulnerability. But Logitech told German magazine heise.de that the new version fixes the vulnerability, as you can read here.
