Headline
CVE-2021-42110: CVE-2021-42110
An issue was discovered in Allegro Windows (formerly Popsy Windows) before 3.3.4156.1. A standard user can escalate privileges to SYSTEM if the FTP module is installed, because of DLL hijacking.
Abstract Advisory Information
The FTP module, which is not installed by default, is prone to a DLL hijacking attack allowing a standard user account to execute command with the highest privileges as NT AUTHORITYSYSTEM
Author: Dominique Righetto
Version affected
Name: Allegro Windows
Versions: 3.3.4152.0 and under
Common Vulnerability Scoring System
7.8
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Patches
Allegro Windows version 3.3.4156.1
References
- https://www.allegro.be/fr/windows
- PATCH : https://www.allegro.be/fr/windows/support
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42110
Vulnerability Disclosure Timeline
- 19/08/2021: Vulnerability discovery
- 19/08/2021: Vulnerability Report to CERT-XLM
- 08/10/2021: Vulnerability Report to Vendor
- 13/10/2021: Call with the vendor to clarify fix solutions + given PoC video
- 08/10/2021: Request CVE IDs to Mitre
- 08/10/2021: CVE IDs assigned Use CVE-2021-42110
- 12/10/2021: Call with the vendor to discuss the possible fix solutions
- 29/11/2021: Expected Vulnerability disclosure
Find more vulnerabilities in our Security Advisory section.
Our website uses cookies technologies to assist with navigation and your ability to provide feedback, analyze your use of our products and services, to enable you to use the social media functionalities and assist with our promotional and marketing efforts, and provide content from third parties. You may choose to opt-out from all non-essential cookie or allow them for a better browsing experience. For more information on the use of cookies, Please check our Privacy Notice ACCEPT REJECT