CVE-2021-38142: 
Barco MirrorOp Windows Sender vulnerability analysis and mitigation

Barco MirrorOp Windows Sender before version 2.5.3.65 uses cleartext HTTP for software upgrades, which allows rogue software upgrades. The vulnerability was discovered and disclosed on September 7, 2021. The issue affects the upgrade mechanism of the Windows Sender application, which is not protected with TLS encryption (NVD).

The vulnerability stems from the use of unencrypted HTTP protocol for the software upgrade mechanism. An attacker on the local network can achieve remote code execution on any computer that attempts to update Windows Sender due to the lack of TLS protection in the upgrade mechanism. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, indicating local access requirements but high impact potential (NVD).

The vulnerability allows an attacker on the local network to achieve remote code execution on any computer that attempts to update Windows Sender. This can lead to complete compromise of the affected system, with potential impacts on confidentiality, integrity, and availability of the system (NVD).

The vulnerability has been patched in Barco MirrorOp Windows Sender version 2.5.3.65, released on July 7, 2020. The update implements TLS handshake on the MirrorOp Client side to secure the upgrade mechanism. Users are advised to upgrade to this version or later to mitigate the vulnerability (Barco Release Notes).