OSVDB: 54258 - Garmin Communicator Plug-in GARMINAXCONTROL.GarminAxControl_t.1 ActiveX (npGarmin. Secunia: 34326 - Garmin Communicator Plug-In Domain Locking Security Bypass, Less Critical SecurityFocus: 34858 - Garmin Communicator Plugin 'npGarmin.dll' Security Bypass Vulnerability Vulnerability Center: 22035 - Garmin Communicator Plug-In 2.6.4.0 Domain-Locking Remote Sensitive Information Disclosure, Medium +1631 days ? Sources info edit Advisory:
Threat Intelligence info edit Interest: ?Īctive APT Groups: ? Countermeasures info edit Recommended: no mitigation known Product info editĬVSSv3 info edit VulDB Meta Base Score: 9.8 The vulnerability is also documented in the databases at X-Force ( 50360), SecurityTracker ( ID 1022173) and Vulnerability Center ( SBV-22035). It may be suggested to replace the affected object with an alternative product. There is no information about possible countermeasures known. During that time the estimated underground price was around $0-$5k. The vulnerability was handled as a non-public zero-day exploit for at least 1 days. The attack technique deployed by this issue is T1068 according to MITRE ATT&CK. Technical details of the vulnerability are known, but there is no available exploit. No form of authentication is needed for a successful exploitation. The identification of this vulnerability is CVE-2009-0194 since. The weakness was disclosed by Dyon Balding with Secunia Research (Website). The domain-locking implementation in the GARMINAXCONTROL.GarminAxControl_t.1 ActiveX control in npGarmin.dll in the Garmin Communicator Plug-In 2.6.4.0 does not properly enforce the restrictions that (1) download and (2) upload requests come from a web site specified by the user, which allows remote attackers to obtain sensitive information or reconfigure Garmin GPS devices via unspecified vectors related to a "synchronisation error." Impacted is confidentiality, integrity, and availability. Using CWE to declare the problem leads to CWE-264. The manipulation with an unknown input leads to a privilege escalation vulnerability. Click Exit This completes the installation of the plugin. Wait for the browser (s) to close and the Setup Wizard to appear.
Follow the instructions on the Communicator Plugin pop up and click OK 4. This issue affects an unknown part in the library npGarmin.dll of the component ActiveX Control. Click Continue to begin the installation process 2. A high score indicates an elevated risk to be targeted for this vulnerability.Ī vulnerability, which was classified as critical, has been found in GARMIN Garmin Communicator Plugin 2.6.4.0. The CTI Interest Score identifies the interest of attackers and the security community for this specific vulnerability in real-time. Strava locked down their API earlier this year to allow only hand-selected 3rd parties on the platform, but they seem to be unable to get their site to work with the latest version of IE and GCP.Our Cyber Threat Intelligence team is monitoring different web sites, mailing lists, exploit markets and social media networks. It is not a big deal, really, but it is interesting how little communication there seems to be between these vendors. I have to use Firefox with Strava if I want to upload activities directly from the device. The site apparently does see the plugin when it runs on IE 11, and the plugin does find the 305: Plugin seen by Connect running on IE11 Oddly enough, I can still upload activities to the Garmin Connect site with IE11. Firefox on the other hand happily reports that I have the plugin: Firefox recognizes the Garmin Communicator The installer first closes all browsers, then reopens IE 11 and directs me back to the plugin page that will continue to tell me that I do not have it. I can click on the “Download for Windows” link, though, which will allow me to download and install the plugin. When I click on the Install Now button, nothing happens: Garmin page does not detect the plugin The odd thing is that the Garmin plugin page thinks the plugin is not installed, either, when I browse there with IE 11. Strava running side by side on IE 11 and Firefox 26.
Strava will not detect the GCP on IE11, even though it happily uses it on Firefox running side-by-side. The current situation is – it simply does not work. Strava so far has not been very robust when it comes to the Garmin plugin on IE 11. Then things seemed to settle down, until I began using the Strava site in anticipation of getting Google Glass (Strava currently has the only “Glassware” apps for run and ride tracking). On more than one occasion I had to resort to Training Center, Garmin’s desktop app, to receive the activity from the device and save it to a TCX file for upload to the website. Things changed on an almost weekly basis when Microsoft pushed out an update that broke the plugin or the website, then Garmin fixed it and it worked again. Ever since IE 11 came out earlier this fall, I have been having problems with uploading activities from my Garmin 305.