Security vulnerabilities in pre-installed software expose Dell systems to code execution attacks which allow attackers to disable security mechanisms, escalate privileges and execute arbitrary code within the context of the application user.
CVE-2016-9038
The first vulnerability in Invincea-X, Dell Protected Workspace 6.1.3-24058, tracked as CVE-2016-9038, is a double fetch in the SboxDrv.sys driver. An attacker can exploit the flaw by sending crafted data to the \Device\SandboxDriverApi device driver which is read/write accessible to everyone. The attacker can exploit the issue to write an arbitrary value to kernel memory space in order to gain local privilege escalation.
CVE-2016-8732
The second flaw tracked as CVE-2016-8732 affected the Invincea Dell Protected Workspace version 5.1.1-22303, that is a security solution for endpoints. This security vulnerability found in one of the driver components, ‘InvProtectDrv.sys’ with version 5.1.1-22303 and the vulnerability is fixed with version 6.3.0.
According to Talos, the flaws exist within one of the driver components, ‘InvProtectDrv.sys’ that is included in version 5.1.1-22303 of this security software. Weak restrictions on the driver communications channel and insufficient validation could allow an attacker controlled application that is executed on an affected system to leverage the driver to disable protection mechanisms.
CVE-2017-2802
A third flaw, tracked as CVE-2017-2802, affects the Dell Precision Optimizer application and could lead to the execution of arbitrary code. The vulnerabilities affects the Dell Precision Tower 5810 with nVidia graphic cards, PPO Policy Processing Engine 3.5.5.0, and ati.dll (PPR Monitoring Plugin) 3.5.5.0.
An attacker could supply a malicious DLL having the same name of the “atiadlxx.dll” in one of the directories specified by the PATH environment variable to achieve arbitrary code execution. The security implications for the flaws are serious because the Invincea Dell Protected Workspace is an application is commonly deployed to secure workstations within high-security environments.
Vulnerability exists with PPR Monitoring Plugin 3.5.5.0 and versions from v4.0 onward are not vulnerable.
Talos recommend's that organizations using affected versions of this solution update to the latest version as quickly as possible to ensure that the protections provided by this software cannot be bypassed by an attacker. Organizations need to carefully consider the risks and benefits of software bundled with devices. It is important anyway to carefully assess any pre-installed software to avoid that flaws affecting them can be exploited by attackers.
No comments:
Post a Comment