NiceHash QuickMiner 6.12.0 perform software updates over HTTP without validating digital signatures or hash checks. An attacker capable of intercepting or redirecting traffic to the update url and can hijack the update process and deliver arbitrary executables that are automatically executed, resulting in full remote code execution. This constitutes a critical supply chain attack vector. NOTE: the Supplier reports that the existence of an http://update.nicehash.com URL is a fabrication, and that there is no other use of HTTP (rather than HTTPS).
According to the vulnerability report, the application's automatic update mechanism uses an unencrypted HTTP protocol, allowing an attacker positioned on the network path (man-in-the-middle) to intercept or redirect traffic to the update URL. The lack of digital signature verification or checksum verification of the downloaded file means that a substituted executable file would be installed and run automatically without any integrity checks. This would result in complete arbitrary code execution (RCE) on the user's machine without their interaction (zero-click). However, the vendor denies in a CVE note that the http://update.nicehash.com address even exists and claims that the application does not use HTTP instead of HTTPS.
An attacker could gain full control over the victim's system by executing arbitrary code with the privileges of the updater process, potentially enabling malware installation, data theft, or hijacking of computing resources.
Apply patches available from the vendor according to the references. Due to the vendor's objection to the described attack vector, it is recommended to verify with the supplier (NiceHash) whether the software version in use truly uses only HTTPS for downloading updates. Until the dispute is clarified, it is recommended to monitor network traffic generated by the application.
NiceHash QuickMiner version 6.12.0 (according to the report description; vendor contests the described attack vector)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HNicehash Quickminer
APPNicehash6.12.0
Related vulnerabilities
An issue was discovered in NiceHash Miner before 2.0.3.0. A missing rate limit while adding a wallet via Email...
An issue was discovered in NiceHash Miner before 2.0.3.0. Missing Authorization allows an adversary to can gai...
A Username Enumeration via Error Message issue was discovered in NiceHash Miner before 2.0.3.0 because an "EMA...