Splashtop Streamer 02/15/22 CVE

https://nvd.nist.gov/vuln/detail/CVE-2021-42712

It seems like we should we force a re-install of Streamer if we’re running the older version. Some of my assets have the affected version.

Splashtop Streamer through 3.4.8.3 creates a Temporary File in a Directory with Insecure Permissions.

I have an old 3.4.8.4 updated on 5-27-2021. So this is a pretty old issue.

Yes this has been around around a while it seems. I’ve scheduled updates of the few clients left with Streamer still installed.

I am thinking you should be able to Uncheck “Enable And Deploy Splashtop For Assets On This Policy” in the Policy. Hit Save. It will uninstall from all assets tied to the policy. But that may be more complicated if you have overlapping policies with Splashtop enabled.

Wait a bit and then re-enable it. To force a reinstall.

This also won’t get assets that are offline.

I just ran a script I had to download the latest Streamer and update. It was only a handful since I’m mostly using the more reliable ScreenConnect.

Syncro will not remove Splashtop for any reason. The Streamer is shared amongst all their versions, so Syncro has no way of knowing if it installed it or it was installed via some other manner. Here’s my script for uninstalling.

Import-Module $env:SyncroModule
$workingdir = "c:\temp"
$url = "https://my.splashtop.com/csrs/win"
$file = "$($workingdir)\streamer.exe"

# Test if the working directory exist
    If(!(test-path $workingdir))
        {
        New-Item -ItemType Directory -Force -Path $workingdir
        }

# Download
    Invoke-WebRequest -Uri $url -OutFile $file

# Install
        start-process -wait -Filepath $file -ArgumentList "msiexec /qn /x setup.msi"
        Start-Sleep -s 3
        Write-Host "Deleting Installer"
        Remove-Item -path $file