A hard-coded password vulnerability exists in the console infactory functionality of InHand Networks InRouter302 V3.5.37. A specially-crafted network request can lead to privileged operation execution. An attacker can send a sequence of requests to trigger this vulnerability.

**Summary**

A hard-coded password vulnerability exists in the console infactory functionality of InHand Networks InRouter302 V3.5.37. A specially-crafted network request can lead to privileged operation execution. An attacker can send a sequence of requests to trigger this vulnerability.

**Tested Versions**

InHand Networks InRouter302 V3.5.37

**Product URLs**

InRouter302 - https://www.inhandnetworks.com/products/inrouter300.html

**CVSSv3 Score**

4.3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

**CWE**

CWE-259 - Use of Hard-coded Password

**Details**

The InRouter302 is an industrial LTE router. It features remote management functionalities and several security protection mechanism, such as: VPN technologies, firewall functionalities, authorization management and several other features.

The InRouter302 offers the telnet and sshd services. Both, when provided with the correct credentials, will allow access to the Router console.

    ************************************************
               Welcome to Router console
          Inhand
          Copyright @2001-2020, Beijing InHand Networks Co., Ltd.
          http://www.inhandnetworks.com
    ------------------------------------------------
    Model                : IR302-WLAN
    Serial Number        : RF3022141057203
    Description          : www.inhandnetworks.com
    Current Version      : V3.5.37
    Current Bootloader Version : 1.1.3.r4955
    ------------------------------------------------
    get help for commands
    ------------------------------------------------
    type '?' for detail help at any point
    ================================================
      help           -- get help for commands
      language       -- Set language
      show           -- show system information
      exit           -- exit current mode/console
      ping           -- ping test
      comredirect    -- COM redirector
      telnet         -- telnet to a host
      traceroute     -- trace route to a host
      enable         -- turn on privileged commands
      infactory      -- factory mode
    Router> 
    

A low-privileged user can login into this service. The Router console contains a command, called infactory. This functionality will request a password; if correct, a menu with several functions is accessed.

The infactory_command:

    undefined4 infactory_command(undefined4 param_1,char *provided_password)
    
    {
     [...]
    
      if ((provided_password == (char *)0x0) || (*provided_password == '\0')) {
        provided_password = password_in_stack;
        uVar2 = get_help_string("input_pass");
        get_pass_wrap(uVar2,provided_password,0x40);
      }
      aes_decrypt_str(<REDACTED>,0x40,decrypted_password,0x80);                                             [1]
      password_len = strlen(decrypted_password);
      iVar1 = strncmp(decrypted_password,provided_password,password_len);                                   [2]
      if (iVar1 == 0) {
        change_view(view_cursor,&view_infactory);                                                           [3]
        return 0;
      }
      [...]
    }
    

This function will first, at [1], decrypt a hard-coded hex encoded string. Then, if the comparison between the described string and the provided password, at [2], returns zero, meaning the two string are equal, then the code at [3] will be reached. Then the “view” will be changed, which means that the available commands will change.

The aes_decrypt_str:

    undefined4 aes_decrypt_str(char *data,uint data_len,char *output_buff)
    {
      [...]
      IV._0_4_ = 0;
      IV._4_4_ = 0;
      IV._8_4_ = 0;
      IV._12_4_ = 0;
      if ((data_len & 0x1f) == 0) {
        __size = (int)data_len / 2;
        data_bin = malloc(__size);
        if (data_bin == (void *)0x0) {
          syslog(3,"out of memory!");
          uVar1 = 0xffffffff;
        }
        else {
          str2bin(data,__size,data_bin);
          AES_set_key(AES_key,<REDACTED>,128);                                                              [4]
          uVar1 = IH_AES_cbc_encrypt(AES_key,data_bin,output_buff,__size,IV,0);
          free(data_bin);
        }
      }
      [...]
    }
    

The hard-coded data provided at [1] are decrypted, at [4], using AES with a hard-coded key. An attacker, in possession of low-privileged user credentials, would be able to access the infactory functionalities.

**Exploit Proof of Concept**

Using the infactory command and providing the correct password will list the infactory functionalities:

    Router> infactory
    input password: 
    Router(factory)# 
    get help for commands
    ------------------------------------------------
    type '?' for detail help at any point
    ================================================
      help           -- get help for commands
      language       -- Set language
      exit           -- exit current mode/console
      reboot         -- reboot system
      factory-model  -- hardware model configure
      modem          -- modem test
      reset-key      -- check the status of the reset button
      com            -- detecting serial ports
      port           -- FCT network port test
      net            -- complete machine network port test
      led            -- LED lights test
      wlan           -- Wi-Fi test
      mem            -- check memory
      hw_wdg         -- check the hardware watchdog status
      dio            -- detect digital I/O
      stategridsec   -- detect stategrid security chip
    Router(factory)# 
    

**Vendor Response**

The vendor has updated their website and uploaded the latest firmware on it. https://inhandnetworks.com/product-security-advisories.html https://www.inhandnetworks.com/products/inrouter300.html#link4

https://www.inhandnetworks.com/upload/attachment/202205/10/InHand-PSA-2022-01.pdf

**Timeline**

2022-03-28 - Vendor Disclosure  
2022-05-10 - Public Release  
2022-05-10 - Vendor Patch Release  

Discovered by Francesco Benvenuto of Cisco Talos.

CVE-2022-27172: TALOS-2022-1496 || Cisco Talos Intelligence Group

Processor optimization removal or modification of security-critical code for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.

**Select Your Region**

Sign In to access restricted content

**Using Intel.com Search**

You can easily search the entire Intel.com site in several ways.

*   Brand Name: **Core i9**
*   Document Number: **123456**
*   Code Name: **Alder Lake**
*   Special Operators: **“Ice Lake”, Ice AND Lake, Ice OR Lake, Ice\***

**Quick Links**

You can also try the quick links below to see results for most popular searches.

*   Product Information
*   Support
*   Drivers & Software

**Recent Searches**

Sign In to access restricted content

**Advanced Search**

**Only search in**

Title Description Content ID

Sign in to access restricted content.

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**2022.1 IPU - Intel® Processor Advisory**

**Summary: **

A potential security vulnerability in some Intel® Processors may allow information disclosure.  Intel is releasing firmware updates to mitigate this potential vulnerability.

**Vulnerability Details:**

CVEID: CVE-2022-21151  

Description: Processor optimization removal or modification of security-critical code for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.

CVSS Base Score: 5.3 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N

**Affected Products:**

**Product Collection**

**Vertical Segment**

**CPU ID**

**Platform ID**

10th Generation Intel® Core™ Processor Family

Mobile

706E5

80

Intel® Pentium® Processor Silver Series

Intel® Celeron® Processor J Series

Intel® Celeron® Processor N Series"

Desktop

Mobile

706A1

01

8th Generation Intel® Core™ Processor Family

Desktop

906EB

02

8th Generation Intel® Core™ Processors

Mobile

806EC

94

10th Generation Intel® Core™ Processor Family

Desktop

Mobile

A0653

A0655

AO661

806EC

22

02

80

94

6th Generation Intel® Core™ Processor Family

Desktop

Mobile

506E3

406E3

36

C0

7th Generation Intel® Core™ Processor Family

Desktop

Mobile

906E9

806E9

2A

C0

9th Generation Intel® Core Processor Family

Desktop

A0671

02

3rd Generation Intel® Xeon® Scalable Processors

Server

606AX

0x87

**Recommendations:**

Intel recommends that users of affected Intel® Processors update to the latest version firmware provided by the system manufacturer that addresses these issues. 

Intel has released microcode updates for the affected Intel® Processors that are currently supported on the public github repository. Please see details below on access to the microcode: 

GitHub\*: Public Github: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files

This CVE requires a Microcode Security Version Number (SVN) update. To address this issue, an SGX TCB recovery is planned for Q2 2022. Customers will require the microcode update to get successful attestation responses. For customers using the Intel Attestation Service (IAS), the IAS Development Environment (DEV) will enforce the microcode and software updates beginning June 21, 2022 and the IAS Production Environment (LIV) will enforce the updates beginning July 19, 2022.

For customers that are not using IAS, but instead are constructing their own attestation infrastructure using the Intel® SGX Provisioning Certificate Service (PCS), updated Endorsements/Reference Values (i.e., PCK Certificates and verification collateral) will be available June 28, 2022. These customers decide when to enforce the microcode and software update, as part of their Appraisal Policies.

Refer to Intel® SGX Attestation Technical Details for more information on the SGX TCB recovery process.

Further TCB Recovery Guidance for developers is available. 

**Acknowledgements:**

This issue was found internally by Intel employees. Intel would like to thank Alysa Milburn, Jason Brandt, Avishai Redelman, Nir Lavi for reporting this issue.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

05/10/2022

Initial Release

1.1

06/13/2022

Updated Recommendations

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel, processors, chipsets, and desktop boards may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at https://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  
Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2022-21151: INTEL-SA-00617

Improper buffer restrictions in firmware for some Intel(R) NUCs may allow a privileged user to potentially enable escalation of privilege via local access.

**Select Your Region**

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**Intel® NUC Firmware Advisory**

**Summary: **

Potential security vulnerabilities in some Intel® NUCs may allow escalation of privilege.  Intel is releasing firmware updates to mitigate these potential vulnerabilities.

**Vulnerability Details:**

CVEID: CVE-2022-24382

Description: Improper input validation in firmware for some Intel(R) NUCs may allow a privileged user to potentially enable escalation of privilege via local access.

CVSS Base Score: 7.5 High

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVEID: CVE-2022-24297

Description: Improper buffer restrictions in firmware for some Intel(R) NUCs may allow a privileged user to potentially enable escalation of privilege via local access.

CVSS Base Score: 7.5 High

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVEID: CVE-2022-21237

Description: Improper buffer access in firmware for some Intel(R) NUCs may allow a privileged user to potentially enable escalation of privilege via local access.

CVSS Base Score: 7.5 High

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

**Affected Products:**

Intel® NUC products with BIOS before version listed in table below are affected:

Product

BIOS Fixed Version Download Link

Intel® NUC M15 Laptop Kit - LAPBC510, LAPBC710

BCTGL357.0065

Intel® NUC X15 Laptop Kits - LAPKC71F, LAPKC71E, LAPKC51E

KCTGL357.0040

Intel® NUC Extreme Compute Element NUC11DBBi9 and NUC11DBBi7, and Intel® NUC 11 Extreme Kit NUC11BTMi7 and NUC11BTMi9

DBTGL579.0055

Intel® NUC 11 Compute Element CM11EBC4W, CM11EBi38W, CM11EBi58W, CM11EBi716W

EBTGL357.0057

Intel® NUC Kits NUC11PAQ, NUC11PAH, NUC11PA

PATGL357.0042

Intel® NUC Boards/Kits NUC11TN\[x\]i3, NUC11TN\[x\]i5, NUC11TN\[x\]i7

TNTGL357.0059

Intel® NUC11PHKi7C, NUC11PHKi7CAA

PHTGL579.0064

Intel® NUC 9 Pro Compute Element - NUC9V7QNB, NUC9VXQNB

Intel® NUC 9 Pro Kit - NUC9V7QNX, NUC9VXQNX

QNCFLX70.0064

Intel® NUC9i5QN, NUC9i7QN, NUC9i9QN

QXCFL579.0064

Intel® NUC Kits NUC8i3CYSM and NUC8i3CYSN

CYCNLi35.86A.0050

Intel® NUC 8 Compute Element CM8CCB, CM8i3CB, CM8i5CB, CM8i7CB, CM8PCB

CBWHL.0095

Intel® NUC Kit NUC8i7BE, NUC8i5BE, and NUC8i3B

BECFL357.0089

**Recommendations:**

Intel recommends updating the affected Intel® NUC BIOS firmware to the latest version (see provided table above).

Updates are available for download at the locations listed in the provided table above.

**Acknowledgements:**

Intel would like to thank Yngweijw (CVE-2022-24382) and Dmitry Frolov (CVE-2022-24297, CVE-2022-21237) for reporting these issues.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

05/10/2022

Initial Release

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel, processors, chipsets, and desktop boards may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at https://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  
Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2022-24297: INTEL-SA-00654

Uncontrolled search path in the Intel(R) XTU software before version 7.3.0.33 may allow an authenticated user to potentially enable escalation of privilege via local access.

**Select Your Region**

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**Intel® XTU Advisory**

**Summary: **

A potential security vulnerability in the Intel® Extreme Tuning Utility (XTU) software may allow escalation of privilege.  Intel is releasing software updates to mitigate this potential vulnerability.

**Vulnerability Details:**

CVEID: CVE-2022-22139

Description: Uncontrolled search path in the Intel(R) XTU software before version 7.3.0.33 may allow an authenticated user to potentially enable escalation of privilege via local access.

CVSS Base Score: 6.7 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

**Affected Products:**

Intel® XTU software before version 7.3.0.33.

**Recommendations:**

Intel recommends updating the Intel® XTU software to version 7.3.0.33 or later.

Updates are available for download at this location:

https://www.intel.com/content/www/us/en/download/17881/intel-extreme-tuning-utility-intel-xtu.html

**Acknowledgements:**

Intel would like to thank Marius Gabriel Mihai for reporting this issue.

Intel and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

05/10/2022

Initial Release

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel, processors, chipsets, and desktop boards may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at https://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  
Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2022-22139: INTEL-SA-00663

Observable behavioral discrepancy in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access.

**Select Your Region**

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**Intel® Processor Speculative Cross Store Bypass Advisory**

**Summary: **

A potential security vulnerability in Intel® Processors may allow information disclosure.  Intel is releasing prescriptive guidance to address this potential vulnerability.

**Vulnerability Details:**

CVEID:  CVE-2021-33149

Description: Observable behavioral discrepancy in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access.

CVSS Base Score: 2.5 Low

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

**Affected Products:  
**

All Intel® Processor families.

**Recommendations:**

Intel is releasing prescriptive guidance to mitigate this issue.

_Prescriptive guidance:_ Intel recommends that any potential gadget utilize an LFENCE after loads that should observe writes from another thread to the same shared memory address.

**Acknowledgements:**

Intel would like to thank Danping Li and Ziyuan Zhu from Institute of Information Engineering, Chinese Academy of Sciences for reporting this issue.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

05/10/2022

Initial Release

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel, processors, chipsets, and desktop boards may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at https://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  
Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2021-33149: INTEL-SA-00648

An exploitable use-after-free vulnerability exists in WPS Spreadsheets ( ET ) as part of WPS Office, version 11.2.0.10351. A specially-crafted XLS file can cause a use-after-free condition, resulting in remote code execution. An attacker needs to provide a malformed file to the victim to trigger the vulnerability.

**Summary**

An exploitable use-after-free vulnerability exists in WPS Spreadsheets ( ET ) as part of WPS Office, version 11.2.0.10351. A specially-crafted XLS file can cause a use-after-free condition, resulting in remote code execution. An attacker needs to provide a malformed file to the victim to trigger the vulnerability.

**Tested Versions**

WPS Office 11.2.0.10351

**Product URLs**

WPS Office - https://www.wps.com/

**CVSSv3 Score**

8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

**CWE**

CWE-416 - Use After Free

**Details**

WPS Office previously known as a Kingsoft Office is a suite of tools used for productivity in both a corporate environment as well as by end-users. It offers a range of tools that can be used for various purposes. Such as WPS Spreadsheets for spreadsheets, WPS Writer for document editing, and so on.

A specially-crafted XLS file written in a proper form of HTML/XML tags can lead to a use-after-free vulnerability and remote code execution. Let us run our malformed xls file in ET.exe using debugger:

    (6a4.1674): Access violation - code c0000005 (first/second chance not available)
    First chance exceptions are reported before any exception handling.
    This exception may be expected and handled.
    Time Travel Position: 6E147E:0
    eax=00000000 ebx=0d4eeeb8 ecx=00000000 edx=00000000 esi=1ccb5dcb edi=5f06dfb8
    eip=0228282b esp=0d4eedb0 ebp=0d4eee58 iopl=0         nv up ei pl nz na po nc
    cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
    0228282b 006200          add     byte ptr [edx],ah          ds:002b:00000000=??
    
    
    0:011> kb
     # ChildEBP RetAddr      Args to Child              
    WARNING: Frame IP not in any known module. Following frames may be wrong.
    00 0d4eee58 0dd5b0b8     00000000 06dbd130 06dbd170 0x228282b
    01 0d4eef20 5f0b0a75     1ccb432f 07b5f1a0 00000000 0xdd5b0b8
    02 0d4ef310 5f0afba4     07b6b670 00000000 1ccb45df html2!html2::HtmlParser::parseStream+0x75
    03 0d4ef5e0 5f2fd0e0     00f6d814 00000001 0d4ef694 html2!html2::HtmlParser::parse+0x2a4
    04 0d4ef8b4 5f2d41ef     00f6d814 06d81ea8 00000000 ethtmlrw2!html2::StrmUtf8Converter::~StrmUtf8Converter+0x42b0
    05 0d4ef8f0 5f2d4bf9     06bdbd40 5f2d5f3f f114ab06 ethtmlrw2!chart::KETChartDataSourceProvider::getContextOOXML+0xbf
    06 0d4ef920 75a64f9f     07a63158 45279ebd 75a64f60 ethtmlrw2!chart::KETChartDataSourceProvider::getContextOOXML+0xac9
    07 0d4ef958 776ffa29     075b0798 776ffa10 0d4ef9c4 ucrtbase!thread_start<unsigned int (__stdcall*)(void *),1>+0x3f
    08 0d4ef968 77847a9e     075b0798 02cb572f 00000000 KERNEL32!BaseThreadInitThunk+0x19
    09 0d4ef9c4 77847a6e     ffffffff 77868a4e 00000000 ntdll!__RtlUserThreadStart+0x2f
    0a 0d4ef9d4 00000000     75a64f60 075b0798 00000000 ntdll!_RtlUserThreadStart+0x1b
    

Looks like execution flow has been redirected into a non-executable area:

    0:011> !address 0228282b
    
    Usage:                  <unknown>
    Base Address:           02270000
    End Address:            022da000
    Region Size:            0006a000 ( 424.000 kB)
    State:                  00001000          MEM_COMMIT
    Protect:                00000004          PAGE_READWRITE
    Type:                   00020000          MEM_PRIVATE
    Allocation Base:        02270000
    Allocation Protect:     00000001          PAGE_NOACCESS
    

Let’s check the memory content: 0:011> db 02282828 02282828 74 00 61 00 62 00 6c 00-65 00 00 00 74 00 62 00 t.a.b.l.e…t.b. 02282838 6f 00 64 00 79 00 00 00-74 00 66 00 6f 00 6f 00 o.d.y…t.f.o.o. 02282848 74 00 00 00 74 00 68 00-65 00 61 00 64 00 00 00 t…t.h.e.a.d… 02282858 6c 00 6f 00 63 00 6b 00-00 00 00 00 70 00 61 00 l.o.c.k…..p.a. 02282868 74 00 68 00 00 00 00 00-73 00 6b 00 65 00 77 00 t.h…..s.k.e.w. 02282878 00 00 00 00 67 00 72 00-6f 00 75 00 70 00 00 00 ….g.r.o.u.p… 02282888 6f 00 76 00 61 00 6c 00-00 00 00 00 63 00 75 00 o.v.a.l…..c.u. 02282898 72 00 76 00 65 00 00 00-72 00 67 00 62 00 28 00 r.v.e…r.g.b.(. 0:011> du 02282828 02282828 “table”

We can clearly see that indeed program execution ended in a non executable area (data). When we take a few steps back to see the moment of a code execution redirection we see the following code:

    0:011> r
    eax=0228bea0 ebx=0228bed0 ecx=0228bed0 edx=013e0000 esi=0dd5bd78 edi=0d4eee58
    eip=5f06dfb5 esp=0d4eed94 ebp=0d4eedf4 iopl=0         nv up ei pl nz na po nc
    cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
    html2!html2::HtmBoxRefOperator::imitateBoxFlags+0x365:
    5f06dfae 8b5d08         mov     ebx, dword ptr [ebp+8]
    5f06dfb1 8bcb           mov     ecx, ebx
    5f06dfb3 8b03           mov     eax, dword ptr [ebx]	
    5f06dfb5 ff5034         call    dword ptr [eax+34h]  ds:002b:0228bed4=02282828
    

Looks like a typical call to one of the virtual functions. It is highly probable that the object has been released before and a vftable pointer 0228bed0 has been overwritten. Setting a write access breakpoint on 0228bed0, let’s execute our software again:

    0:011> g-
    Breakpoint 0 hit
    Time Travel Position: 6E1064:A7
    eax=0228bea0 ebx=0228bed0 ecx=00a6e000 edx=0000000b esi=01437c70 edi=06cd5a98
    eip=6a437c7d esp=0d4eec08 ebp=0d4eec14 iopl=0         nv up ei pl nz na po nc
    cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
    kso!mfxGlobalFree2+0x5d:
    6a437c7d 8b4704          mov     eax,dword ptr [edi+4] ds:002b:06cd5a9c=00000055
    0:011> kb
     # ChildEBP RetAddr      Args to Child              
    WARNING: Stack unwind information not available. Following frames may be wrong.
    00 0d4eec14 5f06d818     0000000b 00000030 1ccb5c03 kso!mfxGlobalFree2+0x5d
    01 0d4eec3c 5f0b649f     1ccb5c53 0d4ef078 07ba5174 html2!html2::HtmCreator::createXmlNodesRef+0x4f8
    02 0d4eec6c 5f0c22c0     07ba5174 0d4eef38 0d4eef38 html2!html2::StrIdSet::gainLower+0xbf
    03 0d4eec90 5f0c8d34     022812e0 07b60f01 5f0c90f0 html2!html2::ParserContext::urlStack+0xac00
    04 0d4eeca4 5f0c8a47     022812e0 00000000 07b60f01 html2!html2::ParserContext::urlStack+0x11674
    05 0d4eecd0 5f0c6dfc     022812e0 07b60f01 0d4eef38 html2!html2::ParserContext::urlStack+0x11387
    06 0d4eecf8 5f0c8a96     00020000 00000001 0d4ef3f4 html2!html2::ParserContext::urlStack+0xf73c
    07 0d4eed20 5f0c6dfc     022812f0 07b60f01 0d4eef38 html2!html2::ParserContext::urlStack+0x113d6
    08 0d4eed48 5f0c7c40     00084404 00000000 00000000 html2!html2::ParserContext::urlStack+0xf73c
    09 0d4eed70 5f0c4d7c     022812f0 00000000 00000001 html2!html2::ParserContext::urlStack+0x10580
    0a 0d4eed90 5f0b24da     022812f0 00000000 07ba6ff0 html2!html2::ParserContext::urlStack+0xd6bc
    0b 0d4eedc8 5f0b32f0     07b6b670 07b15e70 0d4ef668 html2!html2::HtmDocument::topBoxs+0x197a
    0c 0d4eee00 5f0b2271     1ccb5e07 07b6b670 0d4eef38 html2!html2::HtmDocument::topBoxs+0x2790
    0d 0d4eee38 5f0cb8c5     00000003 0074683c 0d4eef38 html2!html2::HtmDocument::topBoxs+0x1711
    0e 0d4eef20 5f0b0a75     1ccb432f 07b5f1a0 00000000 html2!html2::ParserContext::urlStack+0x14205
    0f 0d4ef310 5f0afba4     07b6b670 00000000 1ccb45df html2!html2::HtmlParser::parseStream+0x75
    10 0d4ef5e0 5f2fd0e0     00f6d814 00000001 0d4ef694 html2!html2::HtmlParser::parse+0x2a4
    11 0d4ef8b4 5f2d41ef     00f6d814 06d81ea8 00000000 ethtmlrw2!html2::StrmUtf8Converter::~StrmUtf8Converter+0x42b0
    12 0d4ef8f0 5f2d4bf9     06bdbd40 5f2d5f3f f114ab06 ethtmlrw2!chart::KETChartDataSourceProvider::getContextOOXML+0xbf
    13 0d4ef920 75a64f9f     07a63158 45279ebd 75a64f60 ethtmlrw2!chart::KETChartDataSourceProvider::getContextOOXML+0xac9
    14 0d4ef958 776ffa29     075b0798 776ffa10 0d4ef9c4 ucrtbase!thread_start<unsigned int (__stdcall*)(void *),1>+0x3f
    15 0d4ef968 77847a9e     075b0798 02cb572f 00000000 KERNEL32!BaseThreadInitThunk+0x19
    16 0d4ef9c4 77847a6e     ffffffff 77868a4e 00000000 ntdll!__RtlUserThreadStart+0x2f
    17 0d4ef9d4 00000000     75a64f60 075b0798 00000000 ntdll!_RtlUserThreadStart+0x1b
    

Our hypothesis has been confirmed. What’s important for us here is that the object has been released via a call to kso!mfxGlobalFree2. If we track its allocation :

    dx -r1 -g @$cursession.TTD.Calls("kso!mfxGlobalAlloc2").Where( x => x.ReturnValue == `0x0228bed0`)
    

We get additional information that our object represents a table:

    .text:5F06CEF0 public: static struct html2::HtmTable * __cdecl html2::HtmCreator::createHtmTableAlt(void) proc near
    .text:5F06CEF0                 push    30h ; '0'
    .text:5F06CEF2                 call    mfxGlobalAlloc2
    .text:5F06CEF7                 mov     dword ptr [eax], offset const html2::HtmTableAltImpl::`vftable'
    .text:5F06CEFD                 mov     dword ptr [eax+4], 0
    .text:5F06CF04                 mov     dword ptr [eax+8], 0
    .text:5F06CF0B                 mov     dword ptr [eax+0Ch], 0
    .text:5F06CF12                 mov     dword ptr [eax+10h], 0
    .text:5F06CF19                 mov     dword ptr [eax+14h], 0
    .text:5F06CF20                 mov     dword ptr [eax+18h], 0
    .text:5F06CF27                 mov     dword ptr [eax+1Ch], 0
    .text:5F06CF2E                 mov     dword ptr [eax+20h], 0
    .text:5F06CF35                 mov     dword ptr [eax+24h], 0
    .text:5F06CF3C                 mov     dword ptr [eax+28h], 0
    .text:5F06CF43                 mov     word ptr [eax+2Ch], 0
    .text:5F06CF49                 retn	
    
    0:011> r
    eax=`0228bed0` ebx=07ba51b4 ecx=0228bed0 edx=00000037 esi=07ba51b4 edi=079b1810
    eip=5f06cef7 esp=0d4eebf0 ebp=0d4eec68 iopl=0         nv up ei pl nz na pe nc
    cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000206
    html2!html2::HtmCreator::createHtmTableAlt+0x7:
    5f06cef7 c700b0be105f    mov     dword ptr [eax],offset html2::HtmTableAltImpl::`vftable' (5f10beb0) ds:002b:0228bed0=0228bf00	
    

Proper heap grooming can give an attacker full control of this use-after-free vulnerability and as a result could allow it to be turned into arbitrary code execution.

**Crash Information**

    (6a4.1674): Break instruction exception - code 80000003 (first/second chance not available)
    Time Travel Position: 6E147D:7D
    eax=0228bea0 ebx=0228bed0 ecx=0228bed0 edx=013e0000 esi=0dd5bd78 edi=0d4eee58
    eip=5f06dfb5 esp=0d4eed94 ebp=0d4eedf4 iopl=0         nv up ei pl nz na po nc
    cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
    html2!html2::HtmBoxRefOperator::imitateBoxFlags+0x365:
    5f06dfb5 ff5034          call    dword ptr [eax+34h]  ds:002b:0228bed4=02282828
    0:011> g
    (6a4.1674): Access violation - code c0000005 (first/second chance not available)
    First chance exceptions are reported before any exception handling.
    This exception may be expected and handled.
    Time Travel Position: 6E147E:0
    eax=00000000 ebx=0d4eeeb8 ecx=00000000 edx=00000000 esi=1ccb5dcb edi=5f06dfb8
    eip=0228282b esp=0d4eedb0 ebp=0d4eee58 iopl=0         nv up ei pl nz na po nc
    cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
    0228282b 006200          add     byte ptr [edx],ah          ds:002b:00000000=??
    0:011> kb
     # ChildEBP RetAddr      Args to Child              
    WARNING: Frame IP not in any known module. Following frames may be wrong.
    00 0d4eee58 0dd5b0b8     00000000 06dbd130 06dbd170 0x228282b
    01 0d4eef20 5f0b0a75     1ccb432f 07b5f1a0 00000000 0xdd5b0b8
    02 0d4ef310 5f0afba4     07b6b670 00000000 1ccb45df html2!html2::HtmlParser::parseStream+0x75
    03 0d4ef5e0 5f2fd0e0     00f6d814 00000001 0d4ef694 html2!html2::HtmlParser::parse+0x2a4
    04 0d4ef8b4 5f2d41ef     00f6d814 06d81ea8 00000000 ethtmlrw2!html2::StrmUtf8Converter::~StrmUtf8Converter+0x42b0
    05 0d4ef8f0 5f2d4bf9     06bdbd40 5f2d5f3f f114ab06 ethtmlrw2!chart::KETChartDataSourceProvider::getContextOOXML+0xbf
    06 0d4ef920 75a64f9f     07a63158 45279ebd 75a64f60 ethtmlrw2!chart::KETChartDataSourceProvider::getContextOOXML+0xac9
    07 0d4ef958 776ffa29     075b0798 776ffa10 0d4ef9c4 ucrtbase!thread_start<unsigned int (__stdcall*)(void *),1>+0x3f
    08 0d4ef968 77847a9e     075b0798 02cb572f 00000000 KERNEL32!BaseThreadInitThunk+0x19
    09 0d4ef9c4 77847a6e     ffffffff 77868a4e 00000000 ntdll!__RtlUserThreadStart+0x2f
    0a 0d4ef9d4 00000000     75a64f60 075b0798 00000000 ntdll!_RtlUserThreadStart+0x1b
    
    0:011> lmDvmet
    Browse full module list
    start    end        module name
    00d20000 00e6b000   et         (export symbols)       et.exe
        Loaded symbol image file: et.exe
        Mapped memory image file: c:\Users\icewall\AppData\Local\Kingsoft\WPS Office\11.2.0.10351\office6\et.exe
        Image path: c:\Users\icewall\AppData\Local\Kingsoft\WPS Office\11.2.0.10351\office6\et.exe
        Image name: et.exe
        Browse all global symbols  functions  data
        Timestamp:        Sat Oct 23 14:16:30 2021 (6173FD1E)
        CheckSum:         00153DB1
        ImageSize:        0014B000
        File version:     11.2.0.10351
        Product version:  11.2.0.10351
        File flags:       0 (Mask 3F)
        File OS:          40004 NT Win32
        File type:        0.0 Unknown
        File date:        00000000.00000000
        Translations:     0000.04b0
        Information from resource tables:
            CompanyName:      Zhuhai Kingsoft Office Software Co.,Ltd
            ProductName:      WPS Office
            InternalName:     et
            OriginalFilename: et.exe
            ProductVersion:   11,2,0,10351
            FileVersion:      11,2,0,10351
            FileDescription:  WPS Spreadsheets
            LegalCopyright:   Copyright©2021 Kingsoft Corporation. All rights reserved.
    

**Vendor Response**

For international edition: https://www.wps.com/office/windows/ For domestic personal edition: https://official-package.wpscdn.cn/wps/download/WPS\_Setup\_11691.exe For enterprise edition: https://wps-cn-ep.ks3-cn-beijing.ksyun.com/wps/download/ep/WPS2019/WPSPro\_11.8.2.11542.exe If you need to get the WPS official disclosure about the vulnerability, you can visit this link: https://security.wps.cn/notices/28

https://official-package.wpscdn.cn/wps/download/WPS\_Setup\_11691.exe

**Timeline**

2021-11-18 - Vendor disclosure  
2021-12-15 - 30 day follow up  
2022-01-07 - 60 day follow up  
2022-01-13 - Reissued copies of advisories to vendor per request  
2022-04-02 - Talos granted disclosure extension  
2022-05-02 - Vendor patched  
2022-05-09 - Public Release  

Discovered by Marcin "Icewall" Noga of Cisco Talos.

CVE-2021-40399: TALOS-2021-1412 || Cisco Talos Intelligence Group

Insufficient control flow management in the Intel(R) Advisor software before version 7.6.0.37 may allow an authenticated user to potentially enable escalation of privilege via local access.

**Select Your Region**

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**Intel® Advisor Advisory**

**Summary: **

A potential security vulnerability in the Intel® Advisor software may allow escalation of privilege.  Intel is releasing software updates to mitigate this potential vulnerability.

**Vulnerability Details:**

CVEID: CVE-2022-21128

Description: Insufficient control flow management in the Intel(R) Advisor software before version 7.6.0.37 may allow an authenticated user to potentially enable escalation of privilege via local access.

CVSS Base Score: 6.7 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

**Affected Products:**

Intel® Advisor software before version 7.6.0.37.

**Recommendations:**

Intel recommends updating the Intel® Advisor software to version 7.6.0.37 or later.

Updates are available for download at these locations: Intel® Advisor is available as a standalone installation and as part of the Intel® oneAPI Base Toolkit.

**Acknowledgements:**

The following issue was found internally by an Intel employee.  Intel would like to thank Alexey Murashov.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

05/10/2022

Initial Release

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel, processors, chipsets, and desktop boards may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at https://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  
Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2022-21128: INTEL-SA-00661

Improper access control for some Intel(R) Xeon(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.

**Select Your Region**

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**2022.1 IPU - Intel® Xeon® Advisory**

Intel ID:

INTEL-SA-00616

Advisory Category:

Firmware

Impact of vulnerability:

Denial of Service, Information Disclosure

Severity rating:

LOW

Original release:

05/10/2022

Last revised:

05/10/2022

**Summary:**

Potential security vulnerabilities in some Intel® Xeon® Processors may allow information disclosure or denial of service.  Intel is releasing firmware updates to mitigate these potential vulnerabilities.

**Vulnerability Details:**

CVEID: CVE-2022-21131

Description: Improper access control for some Intel(R) Xeon(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.

CVSS Base Score: 3.3 Low

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVEID: CVE-2022-21136

Description: Improper input validation for some Intel(R) Xeon(R) Processors may allow a privileged user to potentially enable denial of service via local access.

CVSS Base Score: 2.7 Low

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L

**Affected Products:**

**Processor**

**CPU ID**

**CVE**

Intel® Xeon Scalable Processors

50653, 50654

CVE-2022-21131, CVE-2022-21136

Intel® Xeon® D-2100 Processor

50654

CVE-2022-21131, CVE-2022-21136

2nd Generation Intel® Xeon® Scalable Processors

50656, 50657

CVE-2022-21131

Intel® Core™ i9, 79xxX, 78xxX

50654

CVE-2022-21131, CVE-2022-21136

**Recommendations:  
**

Intel recommends that users of Intel® Xeon Processors update to the latest version provided by the system manufacturer that addresses these issues

**Acknowledgements:**

CVE-2022-21136 issue was found internally by Intel employees, CVE-2022-21131was found externally.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

05/10/2022

Initial Release

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel, processors, chipsets, and desktop boards may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at https://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  
Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2022-21131: INTEL-SA-00616

An out of bounds read vulnerability exists in the malware scan functionality of ESTsoft Alyac 2.5.7.7. A specially-crafted PE file can trigger this vulnerability to cause denial of service and termination of malware scan. An attacker can provide a malicious file to trigger this vulnerability.

**Summary**

An out of bounds read vulnerability exists in the malware scan functionality of ESTsoft Alyac 2.5.7.7. A specially-crafted PE file can trigger this vulnerability to cause denial of service and termination of malware scan. An attacker can provide a malicious file to trigger this vulnerability.

**Tested Versions**

ESTsoft Alyac 2.5.7.7

**Product URLs**

Alyac - https://www.estsecurity.com/public/product/alyac

**CVSSv3 Score**

5.0 - CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H

**CWE**

CWE-823 - Use of Out-of-range Pointer Offset

**Details**

Alyac is an antivirus program for Microsoft Windows, developed by ESTsecurity, which is part of ESTsoft.

There exists a vulnerability in a module called coen.aym used by Alyac when scanning PE executable files. Module coen.aym is reponsible for loading different engines and modules for handling archive formats and initiating the scan. the

While parsing the malformed PE executable file, function sub_180086C30 is called. This function tries to locate the section header of .text section by parsing the PE file. At \[1\] below, rax register stores the address of the PE\0\0 signature.

    .text:0000000180086C69 loc_180086C69:                          ; CODE XREF: sub_180086C30+24↑j
    .text:0000000180086C69                                         ; sub_180086C30+2A↑j
    .text:0000000180086C69                 mov     rax, [rdi+10h]                                   [1]
    .text:0000000180086C6D
    .text:0000000180086C6D loc_180086C6D:                          ; DATA XREF: .rdata:0000000180405CAC↓o
    .text:0000000180086C6D                                         ; .rdata:0000000180405CC8↓o ...
    .text:0000000180086C6D                 mov     [rsp+28h+arg_0], rbx
    .text:0000000180086C72                 xor     ebx, ebx
    .text:0000000180086C74                 mov     [rsp+28h+arg_8], rsi
    .text:0000000180086C79                 mov     [rsp+28h+arg_10], r14
    .text:0000000180086C7E                 cmp     bx, [rax+6]     ; Number of sections             [2]
    .text:0000000180086C82                 jnb     short loc_180086CC1
    .text:0000000180086C84                 mov     r14d, ecx
    .text:0000000180086C87                 nop     word ptr [rax+rax+00000000h]
    .text:0000000180086C90
    .text:0000000180086C90 loc_180086C90:                          ; CODE XREF: sub_180086C30+8F↓j
    .text:0000000180086C90                 lea     rcx, [rbx+rbx*4]
    .text:0000000180086C94                 mov     r8, r14         ; MaxCount
    .text:0000000180086C97                 lea     rsi, ds:0[rcx*8]
    .text:0000000180086C9F                 mov     rdx, rbp        ; String2 ".text"
    .text:0000000180086CA2                 mov     rcx, [rdi+18h]  ;                                [3]
    .text:0000000180086CA6                 add     rcx, rsi        ; String1 SectionHeader->Name
    .text:0000000180086CA9                 call    cs:_strnicmp    ; crash!                         [4]
    .text:0000000180086CAF                 test    eax, eax
    .text:0000000180086CB1                 jz      short loc_180086CDD
    .text:0000000180086CB3                 mov     rax, [rdi+10h]
    .text:0000000180086CB7                 inc     ebx
    .text:0000000180086CB9                 movzx   ecx, word ptr [rax+6]                            
    .text:0000000180086CBD                 cmp     ebx, ecx                                         [5]
    .text:0000000180086CBF                 jb      short loc_180086C90
    

Next, it goes into a loop enumerating each section header to find one with the Name field set as .text. Section table, which follows the PE header, is a list of section headers. Each section header has an 8-byte field at offset +0 to store the name.

RBX register is used as the loop counter, which is initialized to 0. It is compared to the NumberOfSections field in the file header (part of PE header) at \[2,5\] so it does not search beyond number of sections. Inside the loop, the offset to the section header is increased by 40 bytes each iteration, which is equal to the size of the section header. The offset is added to RCX register, which stores the location of the section table from \[3\].

While a check is made to make sure only the specified number of section headers is processed, it doesn’t check if the PE executable file is big enough to store the number of section headers as defined in the file header. So if given a large number of section headers without .text section header, the loop will continue reading until it goes out of bounds of file size, which will eventually cause access violation at \[4\]. This leads to a crash of the Alyac scanning process, which effectively neutralizes the antivirus scan.

**Crash Information**

    0:018> k
    # Child-SP          RetAddr               Call Site
    00 00000053`d1c9e3c8 00007ff8`8b286caf     ucrtbase!_ascii_strnicmp+0xe
    01 00000053`d1c9e3d0 00007ff8`8b23f8ba     coen!Coen_Clean+0x72d1f
    02 00000053`d1c9e400 00007ff8`8b27d32c     coen!Coen_Clean+0x2b92a
    03 00000053`d1c9e4c0 00007ff8`8b27cd06     coen!Coen_Clean+0x6939c
    04 00000053`d1c9e770 00007ff8`8b263534     coen!Coen_Clean+0x68d76
    05 00000053`d1c9e910 00007ff8`8b2191c2     coen!Coen_Clean+0x4f5a4
    06 00000053`d1c9ebb0 00007ff8`8b205a50     coen!Coen_Clean+0x5232
    07 00000053`d1c9ed30 00007ff8`8b213a4a     coen+0x5a50
    08 00000053`d1c9ee70 000001eb`7cddd73e     coen!Coen_ScanHandle+0xba
    09 00000053`d1c9eee0 000001eb`7cdc6907     ecm!GetModuleConfigValue+0x64ae
    0a 00000053`d1c9ef90 000001eb`7cdfa88e     ecm+0x56907
    0b 00000053`d1c9f110 000001eb`7cdd69f0     ecm!GetModuleConfigValue+0x235fe
    0c 00000053`d1c9f1f0 00007ff8`d5632a51     ecm!ScanFile+0x40
    0d 00000053`d1c9f230 00007ff8`d564c219     scn+0x32a51
    0e 00000053`d1c9f350 00007ff8`d564b63f     scn!ForceCloseScan+0xebf9
    0f 00000053`d1c9f850 00007ff8`d564ab3d     scn!ForceCloseScan+0xe01f
    10 00000053`d1c9fa70 00007ff8`eb6c6c0c     scn!ForceCloseScan+0xd51d
    11 00000053`d1c9faa0 00007ff8`ec8654e0     ucrtbase!thread_start<unsigned int (__cdecl*)(void *),1>+0x4c
    12 00000053`d1c9fad0 00007ff8`edec485b     KERNEL32!BaseThreadInitThunk+0x10
    13 00000053`d1c9fb00 00000000`00000000     ntdll!RtlUserThreadStart+0x2b
    

**Vendor Response**

The product was updated to 2.5.7.7

https://www.estsecurity.com/public/product/alyac

**Timeline**

2022-01-31 - Vendor disclosure  
2022-04-12 - Talos reissued copies of report  
2022-04-29 - Vendor patched  
2022-05-10 - Public Release  

Discovered by Jaewon Min of Cisco Talos.

Tag

#intel