Skip to the content.

DIVD-2021-00029 - Smartertrack

Our reference DIVD-2021-00029
Case lead Victor Gevers
Author Finn van der Knaap
Researcher(s)
CVE(s)
Product SmarterTrack
Versions All versions / v100.0.8019.14010
Recommendation Upgrade to the latest version
Status Open
Last modified 20 Jun 2022 07:35

Summary

On 17 November 2021, the case was created, and around the end of 2021 the investigation began. This concerns Windows servers that are running the latest version of SmarterTrack, which was at the time v100.0.8019.14010. Wietse found four different vulnerabilities, which are currently all fixed in the latest version.

What you can do

If you are using SmarterTrack, check your version number to see if you’re still vulnerable. If you are using an older version, then update by downloading the newer build here. There is also an opportunity to see if the vulnerabilities have been exploited on your system before.

What we are doing

We notified the SmarterTools, and they brought out a new, fully patched version.

Timeline

Date Description
17 Oct 2021 Vulnerabilities discovered by Wietse Boonstra
17 Jan 2022 Testing by DIVD conforms that the vulnerabilities are still present in the product
29 Jan 2022 Report sent to SmarterTrack
29 Jan 2022 Automatic vendor reply that email cannot be processed
29 Jan 2022 Ticket 24A-2988414F-0012 created via SmarterTrack website
02 Feb 2022 Ticket closed without resolution
02 Feb 2022 Email sent to security@smartertools.com
02 Feb 2022 Vendor ackknowledges receipt of email
29 Jan 2022-
02 Feb 2022
Time to acknowledge receipt
07 Feb 2022 Vendor requests and receives additional details
09 Feb 2022 Vendor releases new update and asks us to retest vulnerabilities
02 Feb 2022-
09 Feb 2022
Time to fix
10 Feb 2022 We confirm vulnerabilities have been fixed in build 8075
12 Mar 2022 Limited Disclosure
gantt title DIVD-2021-00029 - Smartertrack dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2021-00029 - Smartertrack (still open) :2021-10-17, 2022-07-01 section Events Vulnerabilities discovered by Wietse Boonstra : milestone, 2021-10-17, 0d Testing by DIVD conforms that the vulnerabilities are still present in the product : milestone, 2022-01-17, 0d Report sent to SmarterTrack : milestone, 2022-01-29, 0d Automatic vendor reply that email cannot be processed : milestone, 2022-01-29, 0d Ticket 24A-2988414F-0012 created via SmarterTrack website : milestone, 2022-01-29, 0d Ticket closed without resolution : milestone, 2022-02-02, 0d Email sent to security@smartertools.com : milestone, 2022-02-02, 0d Vendor ackknowledges receipt of email : milestone, 2022-02-02, 0d Time to acknowledge receipt (4 days) : 2022-01-29, 2022-02-02 Vendor requests and receives additional details : milestone, 2022-02-07, 0d Vendor releases new update and asks us to retest vulnerabilities : milestone, 2022-02-09, 0d Time to fix (7 days) : 2022-02-02, 2022-02-09 We confirm vulnerabilities have been fixed in build 8075 : milestone, 2022-02-10, 0d Limited Disclosure : milestone, 2022-03-12, 0d

More information