Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-47578: Vulnerability Disclosure -Business logic: Unauthorised Data Exfiltration Bypassing DLP @ Zoho Device Control Plus

An issue was discovered in the endpoint protection agent in Zoho ManageEngine Device Control Plus 10.1.2228.15. Despite configuring complete restrictions on USB pendrives, USB HDD devices, memory cards, USB connections to mobile devices, etc., it is still possible to bypass the USB restrictions by booting into Safe Mode. This allows a file to be exchanged outside the laptop/system. Safe Mode can be launched by any user (even without admin rights). Data exfiltration can occur, and also malware might be introduced onto the system.

CVE
Open in Source
#vulnerability#mac#windows#auth

Status: Open (As on 17-Dec-2022)

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N = 7.1 ( High Severity)

Impacted Component: Device Control Plus (Desktop App)

Assumption: Enterprise wants to block USB access (to prevent employees steal sensitive documents or prevent accidental ingestion of malwares) and has implemented complete restriction of removal USB media + Audit trail to capture any violations.

Vulnerability Description: It was observed that despite configuring complete restriction for any USB pendrive/USB HDD/Memory Cards/Mobile etc., however, it becomes possible to bypass restriction to USB via making use of VM and file can be exchanged outside the laptop/system. VMs can be made by any employee (even without admin) and it is very difficult for IT team to block, which makes data exfiltration over USB very easy.

Impact:
Loss of data confidentiality/Integrity (Sensitive info. can be stolen, arbitrary code can be executed). Defying solve concept of Data loss prevention, while attempting USB restriction.

Exploitability Rational:
User (attacker) can have any admin/non-admin privilege. No logs would be created since base OS will not have control within the VM, which makes forensics results inaccurate. (Verified on Windows10, Applicable to all *nix & Win machines)

Steps to Reproduce:

Method1:

  1. Install any VM in same host where USB restriction is implemented.
  2. Attach USB to that VM
  3. Share drive of base host machine to the VM
  4. Copy bidirectional files to/from VM via the USB

Method2:

  1. Long press Shift key while OS boots or from elevated admin cmd.exe run: C:\Windows\System32\bcdedit.exe /set safeboot network
  2. Reboot will boot Windows in safemode where the USB restriction agent will not start.
  3. Login as admin/non-admin user and connect USB drive
  4. Copy bidirectional files to/from VM via the USB

Take Aways:

We should be always ready for various tricks due to client side security controls. (there is no silver bullet to solve such issues)

To make things a little difficult, keep track of data bus at very low level to see file transfer to/from USB. OR develop VM provisioning scheme.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE