A privilege escalation vulnerability exists in the router configuration import functionality of InHand Networks InRouter302 V3.5.4. A specially-crafted HTTP request can lead to increased privileges. An attacker can send an HTTP request to trigger this vulnerability.

**Summary**

A privilege escalation vulnerability exists in the router configuration import functionality of InHand Networks InRouter302 V3.5.4. A specially-crafted HTTP request can lead to increased privileges. An attacker can send an HTTP request to trigger this vulnerability.

**Tested Versions**

InHand Networks InRouter302 V3.5.4

**Product URLs**

InRouter302 - https://www.inhandnetworks.com/products/inrouter300.html

**CVSSv3 Score**

7.4 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

**CWE**

CWE-284 - Improper Access Control

**Details**

The InRouter302 is an industrial LTE router. It features remote management functionalities and several security protection mechanism, such as: VPN technologies, firewall functionalities, authorization management and several other features.

The inRouter302 offers the possibility to have non-privileged users. These non-privileged users, allegedly, should not be able to perform certain actions. But a non-privileged user is allowed to import the router configuration, through the upload.cgi API, effectively allowing the user to change the privileged user credentials.

**Vendor Response**

The vendor has updated their website and uploaded the latest firmware on it. https://inhandnetworks.com/product-security-advisories.html https://www.inhandnetworks.com/products/inrouter300.html#link4

https://www.inhandnetworks.com/upload/attachment/202205/10/InHand-PSA-2022-01.pdf

**Timeline**

2022-03-02 - Vendor Disclosure  
2022-05-10 - Public Release  
2022-05-10 - Vendor Patch Release  

Discovered by Francesco Benvenuto of Cisco Talos.

CVE-2022-21182: TALOS-2022-1472 || Cisco Talos Intelligence Group

An OS command injection vulnerability exists in the console infactory_net functionality of InHand Networks InRouter302 V3.5.37. A specially-crafted series of network requests can lead to remote code execution. An attacker can send a sequence of requests to trigger this vulnerability.

**Summary**

An OS command injection vulnerability exists in the console infactory\_net functionality of InHand Networks InRouter302 V3.5.37. A specially-crafted series of network requests can lead to remote code execution. An attacker can send a sequence of requests to trigger this vulnerability.

**Tested Versions**

InHand Networks InRouter302 V3.5.37

**Product URLs**

InRouter302 - https://www.inhandnetworks.com/products/inrouter300.html

**CVSSv3 Score**

9.9 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

**CWE**

CWE-78 - Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

**Details**

The InRouter302 is an industrial LTE router. It features remote management functionalities and several security protection mechanism, such as: VPN technologies, firewall functionalities, authorization management and several other features.

The InRouter302 offers telnet and sshd services. Both, when provided with the correct credentials, will allow access to the Router console.

Here is the prompt after the login:

    ************************************************
            Welcome to Router console
        Inhand
        Copyright @2001-2020, Beijing InHand Networks Co., Ltd.
        http://www.inhandnetworks.com
    ------------------------------------------------
    Model                : IR302-WLAN
    Serial Number        : RF3022141057203
    Description          : www.inhandnetworks.com
    Current Version      : V3.5.37
    Current Bootloader Version : 1.1.3.r4955
    ------------------------------------------------
    get help for commands
    ------------------------------------------------
    type '?' for detail help at any point
    ================================================
    help           -- get help for commands
    language       -- Set language
    show           -- show system information
    exit           -- exit current mode/console
    ping           -- ping test
    comredirect    -- COM redirector
    telnet         -- telnet to a host
    traceroute     -- trace route to a host
    enable         -- turn on privileged commands
    infactory      -- factory mode
    Router>
    

The infactory command permits, provided the correct password, the access to the factory mode view. This mode permits to change the configuration and perform various tests. The factory mode view:

    Router> infactory 
    input password: 
    Router(factory)# 
    get help for commands
    ------------------------------------------------
    type '?' for detail help at any point
    ================================================
    help           -- get help for commands
    language       -- Set language
    exit           -- exit current mode/console
    reboot         -- reboot system
    factory-model  -- hardware model configure
    modem          -- modem test
    reset-key      -- check the status of the reset button
    com            -- detecting serial ports
    port           -- FCT network port test
    net            -- complete machine network port test
    led            -- LED lights test
    wlan           -- Wi-Fi test
    mem            -- check memory
    hw_wdg         -- check the hardware watchdog status
    dio            -- detect digital I/O
    stategridsec   -- detect stategrid security chip
    Router(factory)# 
    

This mode offers several functionalities. For instance, the net functionality allows to essentially execute a ping command specifying its interface parameter.

The net_functionality:

    undefined4 net_functionality(undefined4 param_1,int args)
    
    {
        [...]
        
        argument_list_ptr[0] = args;
        [...]
        if (argument_list_ptr[0] != 0) {
            first_arg = (char *)maybe_get_next_token(argument_list_ptr);
            if (*first_arg != '\0') {
                is_init = strncmp(first_arg,"init",4);
                if (is_init == 0) {
                    [...]
                }
                is_test = strncmp(first_arg,"test",4);
                if ((is_test == 0) &&
                    (interface = (char *)maybe_get_next_token(argument_list_ptr), 
                    interface != (char *)0x0)) {                                                            [1]
                    max_args = 3;
                    packets_count = 0;
                    timeout_ = 0;
                    target_ip = (char *)0x0;
                    [... here are parsed 3 optional parameters ...]
                    snprintf((char *)&ping_command,0x80,"ping -I %s -c %d -W %d %s",interface,packets_count,
                            timeout,target_ip);                                                             [2]
                    popen_stream = popen((char *)&ping_command,"r");                                        [3]
                    [...]
    }
    

If the first provided argument is test, then the second one, parsed at [1], will be later used at [2] to form the string ping -I <second_arg> -c <packets_count> -W <timeout> <target_ip>. This string will later be used at [3] as argument of the popen function.

The second argument is not properly sanitized, and a command injection can occur at [3]. An attacker, able to reach the net functionality, would be able to obtain a root shell.

**Exploit Proof of Concept**

Provided the command net test ;/bin/sh;, in the factory mode view, a root shell will be obtained:

    Router(factory)# net test ;/bin/sh;
    ping: option requires an argument -- I
    BusyBox v1.26.2 (2022-02-23 16:03:56 CST) multi-call binary.
    
    Usage: ping [OPTIONS] HOST
    help
    Built-in commands:
    ------------------
        . : [ [[ break cd chdir continue echo eval exec exit export false
        hash help history let local printf pwd read readonly return set
        shift source test times trap true type ulimit umask unset wait
    

**Vendor Response**

The vendor has updated their website and uploaded the latest firmware on it. https://inhandnetworks.com/product-security-advisories.html https://www.inhandnetworks.com/products/inrouter300.html#link4

https://www.inhandnetworks.com/upload/attachment/202205/10/InHand-PSA-2022-01.pdf

**Timeline**

2022-03-30 - Vendor Disclosure  
2022-05-10 - Public Release  
2022-05-10 - Vendor Patch Release  

Discovered by Francesco Benvenuto of Cisco Talos.

CVE-2022-26518: TALOS-2022-1501 || Cisco Talos Intelligence Group

A file write vulnerability exists in the httpd upload.cgi functionality of InHand Networks InRouter302 V3.5.4. A specially-crafted HTTP request can lead to arbitrary file upload. An attacker can upload a malicious file to trigger this vulnerability.

**Summary**

A file write vulnerability exists in the httpd upload.cgi functionality of InHand Networks InRouter302 V3.5.4. A specially-crafted HTTP request can lead to arbitrary file upload. An attacker can upload a malicious file to trigger this vulnerability.

**Tested Versions**

InHand Networks InRouter302 V3.5.4

**Product URLs**

InRouter302 - https://www.inhandnetworks.com/products/inrouter300.html

**CVSSv3 Score**

9.9 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

**CWE**

CWE-377 - Insecure Temporary File

**Details**

The InRouter302 is an industrial LTE router. It features remote management functionalities and several security protection mechanism, such as: VPN technologies, firewall functionalities, authorization management and several other features.

The InRouter302 offers, once logged, several APIs. One API is called upload.cgi. This API allows to upload a file and specify the type of file, such as config, modem_upgrade and cert_ca.

The upload.cgi API will execute mainly two functions: upload.cgi_input that will parse the POST request, and upload.cgi_output that will use the parsed input to perform the actual API and return the output, if required. The upload.cgi_input function:

    void upload.cgi_input(char *cgi_filename,uint CONTENT_LENGTH,char *BOUNDARY)
    
    {
      [... several action among which read_buff is filled with the POST content ...]
              filename_provided = strchr(read_buff + 0x26,L'\"');
              if (filename_provided == (char *)0x0) {
                [...]
              }
              *filename_provided = '\0';
              param_value[0] = '\0';
              strlcpy(param_key,read_buff + 0x26,0x80);
              syslog(7,"get var name: %s",param_key);
              filename_provided = strstr(filename_provided + 1,"filename=\"");
              if (filename_provided == (char *)0x0) {
                [...]
              }
              filename_provided = filename_provided + 10;
              filename_end = strchr(filename_provided,L'\"');
              if (filename_end == (char *)0x0) {
                [...]
              }
              *filename_end = '\0';
              pcVar2 = strrchr(filename_provided,L'\\');                                                    [1]
              if (pcVar2 != (char *)0x0) {
                filename_provided = pcVar2 + 1;
              }
              [...]
              snprintf(file_path,0x80,"/tmp/%s",filename_provided);                                         [2]
              __s = fopen(file_path,"wb");
      [...]
    }
    

The two main variables that are going to be parsed, and later used in the upload.cgi_output, are type and filename. The upload.cgi_input function is also responsible for creating a temporary file with the content of the provided one. The provided filename, using the strrchr function at [1], will be considered, if present, only from the last \ character in the provided filename. Otherwise the entire provided filename will be used. Then, at [2], the file /tmp/<provided_filename> is opened and later filled with the provided content.

Later, in upload.cgi_output, based on the type variable provided, different actions could be performed. Eventually the temporary file created will be removed. The upload.cgi_output function:

    void upload.cgi_output(void)
    
    {
      [...]
    
      type = (char *)webcgi_get("type");
      filename = (char *)webcgi_get("filename");
      if ((type == (char *)0x0) || (*type == '\0')) {
        type = "unknown upload type!";
      }
      else {
        [... here it would manage the file based on the type and eventually remove the temporary file ...]
      }
      syslog(7,type);
    LAB_0040ed08:
      if (gl_server_port != 4444) {
        parse_asp("error.jsp");
        return;
      }
      http_api_success = 0;
      return;
    }
    

If the type variable is not provided, the upload.cgi API will not perform any other actions in upload.cgi_output. This will result in not deleting the temporary file. Furthermore, at [2], the filename is concatenated without any check or manipulation except for the one performed at [1]. This would allow an attacker to perform a path traversal.

The overall impact for these problems will be, for an attacker, to be able to upload and/or overwrite any writable file.

**Vendor Response**

The vendor has updated their website and uploaded the latest firmware on it. https://inhandnetworks.com/product-security-advisories.html https://www.inhandnetworks.com/products/inrouter300.html#link4

https://www.inhandnetworks.com/upload/attachment/202205/10/InHand-PSA-2022-01.pdf

**Timeline**

2022-02-25 - Initial vendor contact  
2022-03-02 - Vendor Disclosure  
2022-05-10 - Public Release  
2022-05-10 - Vendor Patch Release  

Discovered by Francesco Benvenuto of Cisco Talos.

CVE-2022-21809: TALOS-2022-1468 || Cisco Talos Intelligence Group

A firmware update vulnerability exists in the iburn firmware checks functionality of InHand Networks InRouter302 V3.5.37. A specially-crafted HTTP request can lead to firmware update. An attacker can send a sequence of requests to trigger this vulnerability.

**Summary**

A firmware update vulnerability exists in the iburn firmware checks functionality of InHand Networks InRouter302 V3.5.37. A specially-crafted HTTP request can lead to firmware update. An attacker can send a sequence of requests to trigger this vulnerability.

**Tested Versions**

InHand Networks InRouter302 V3.5.37

**Product URLs**

InRouter302 - https://www.inhandnetworks.com/products/inrouter300.html

**CVSSv3 Score**

9.9 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

**CWE**

CWE-347 - Improper Verification of Cryptographic Signature

**Details**

The InRouter302 is an industrial LTE router. It features remote management functionalities and several security protection mechanism, such as: VPN technologies, firewall functionalities, authorization management and several other features.

The InRouter302 offers, through the upgrade.cgi API, the upgrade of its firmware. The upgrade process does not include any cryptographic signature that would guarantee that the content of the upgrade is legitimate. This would allow any attacker, able to perform the upgrade.cgi API, to insert backdoor and modify the firmware of the router. The same consequences are true for an attacker able to perform a man-in-the-middle attack, where the attacker would wait for a legitimate user to initiate a firmware update, then modify the firmware in-transit. The iburn binary, the one responsible for performing the actual firmware update, only calculates and checks a CRC32.

**Vendor Response**

The vendor has updated their website and uploaded the latest firmware on it. https://inhandnetworks.com/product-security-advisories.html https://www.inhandnetworks.com/products/inrouter300.html#link4

https://www.inhandnetworks.com/upload/attachment/202205/10/InHand-PSA-2022-01.pdf

**Timeline**

2022-03-23 - Vendor Disclosure  
2022-05-10 - Public Release  
2022-05-10 - Vendor Patch Release  

Discovered by Francesco Benvenuto of Cisco Talos.

CVE-2022-26510: TALOS-2022-1495 || Cisco Talos Intelligence Group

A hard-coded password vulnerability exists in the console infactory functionality of InHand Networks InRouter302 V3.5.37. A specially-crafted network request can lead to privileged operation execution. An attacker can send a sequence of requests to trigger this vulnerability.

**Summary**

A hard-coded password vulnerability exists in the console infactory functionality of InHand Networks InRouter302 V3.5.37. A specially-crafted network request can lead to privileged operation execution. An attacker can send a sequence of requests to trigger this vulnerability.

**Tested Versions**

InHand Networks InRouter302 V3.5.37

**Product URLs**

InRouter302 - https://www.inhandnetworks.com/products/inrouter300.html

**CVSSv3 Score**

4.3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

**CWE**

CWE-259 - Use of Hard-coded Password

**Details**

The InRouter302 is an industrial LTE router. It features remote management functionalities and several security protection mechanism, such as: VPN technologies, firewall functionalities, authorization management and several other features.

The InRouter302 offers the telnet and sshd services. Both, when provided with the correct credentials, will allow access to the Router console.

    ************************************************
               Welcome to Router console
          Inhand
          Copyright @2001-2020, Beijing InHand Networks Co., Ltd.
          http://www.inhandnetworks.com
    ------------------------------------------------
    Model                : IR302-WLAN
    Serial Number        : RF3022141057203
    Description          : www.inhandnetworks.com
    Current Version      : V3.5.37
    Current Bootloader Version : 1.1.3.r4955
    ------------------------------------------------
    get help for commands
    ------------------------------------------------
    type '?' for detail help at any point
    ================================================
      help           -- get help for commands
      language       -- Set language
      show           -- show system information
      exit           -- exit current mode/console
      ping           -- ping test
      comredirect    -- COM redirector
      telnet         -- telnet to a host
      traceroute     -- trace route to a host
      enable         -- turn on privileged commands
      infactory      -- factory mode
    Router> 
    

A low-privileged user can login into this service. The Router console contains a command, called infactory. This functionality will request a password; if correct, a menu with several functions is accessed.

The infactory_command:

    undefined4 infactory_command(undefined4 param_1,char *provided_password)
    
    {
     [...]
    
      if ((provided_password == (char *)0x0) || (*provided_password == '\0')) {
        provided_password = password_in_stack;
        uVar2 = get_help_string("input_pass");
        get_pass_wrap(uVar2,provided_password,0x40);
      }
      aes_decrypt_str(<REDACTED>,0x40,decrypted_password,0x80);                                             [1]
      password_len = strlen(decrypted_password);
      iVar1 = strncmp(decrypted_password,provided_password,password_len);                                   [2]
      if (iVar1 == 0) {
        change_view(view_cursor,&view_infactory);                                                           [3]
        return 0;
      }
      [...]
    }
    

This function will first, at [1], decrypt a hard-coded hex encoded string. Then, if the comparison between the described string and the provided password, at [2], returns zero, meaning the two string are equal, then the code at [3] will be reached. Then the “view” will be changed, which means that the available commands will change.

The aes_decrypt_str:

    undefined4 aes_decrypt_str(char *data,uint data_len,char *output_buff)
    {
      [...]
      IV._0_4_ = 0;
      IV._4_4_ = 0;
      IV._8_4_ = 0;
      IV._12_4_ = 0;
      if ((data_len & 0x1f) == 0) {
        __size = (int)data_len / 2;
        data_bin = malloc(__size);
        if (data_bin == (void *)0x0) {
          syslog(3,"out of memory!");
          uVar1 = 0xffffffff;
        }
        else {
          str2bin(data,__size,data_bin);
          AES_set_key(AES_key,<REDACTED>,128);                                                              [4]
          uVar1 = IH_AES_cbc_encrypt(AES_key,data_bin,output_buff,__size,IV,0);
          free(data_bin);
        }
      }
      [...]
    }
    

The hard-coded data provided at [1] are decrypted, at [4], using AES with a hard-coded key. An attacker, in possession of low-privileged user credentials, would be able to access the infactory functionalities.

**Exploit Proof of Concept**

Using the infactory command and providing the correct password will list the infactory functionalities:

    Router> infactory
    input password: 
    Router(factory)# 
    get help for commands
    ------------------------------------------------
    type '?' for detail help at any point
    ================================================
      help           -- get help for commands
      language       -- Set language
      exit           -- exit current mode/console
      reboot         -- reboot system
      factory-model  -- hardware model configure
      modem          -- modem test
      reset-key      -- check the status of the reset button
      com            -- detecting serial ports
      port           -- FCT network port test
      net            -- complete machine network port test
      led            -- LED lights test
      wlan           -- Wi-Fi test
      mem            -- check memory
      hw_wdg         -- check the hardware watchdog status
      dio            -- detect digital I/O
      stategridsec   -- detect stategrid security chip
    Router(factory)# 
    

**Vendor Response**

The vendor has updated their website and uploaded the latest firmware on it. https://inhandnetworks.com/product-security-advisories.html https://www.inhandnetworks.com/products/inrouter300.html#link4

https://www.inhandnetworks.com/upload/attachment/202205/10/InHand-PSA-2022-01.pdf

**Timeline**

2022-03-28 - Vendor Disclosure  
2022-05-10 - Public Release  
2022-05-10 - Vendor Patch Release  

Discovered by Francesco Benvenuto of Cisco Talos.

CVE-2022-27172: TALOS-2022-1496 || Cisco Talos Intelligence Group

Processor optimization removal or modification of security-critical code for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.

**Select Your Region**

Sign In to access restricted content

**Using Intel.com Search**

You can easily search the entire Intel.com site in several ways.

*   Brand Name: **Core i9**
*   Document Number: **123456**
*   Code Name: **Alder Lake**
*   Special Operators: **“Ice Lake”, Ice AND Lake, Ice OR Lake, Ice\***

**Quick Links**

You can also try the quick links below to see results for most popular searches.

*   Product Information
*   Support
*   Drivers & Software

**Recent Searches**

Sign In to access restricted content

**Advanced Search**

**Only search in**

Title Description Content ID

Sign in to access restricted content.

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**2022.1 IPU - Intel® Processor Advisory**

**Summary: **

A potential security vulnerability in some Intel® Processors may allow information disclosure.  Intel is releasing firmware updates to mitigate this potential vulnerability.

**Vulnerability Details:**

CVEID: CVE-2022-21151  

Description: Processor optimization removal or modification of security-critical code for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.

CVSS Base Score: 5.3 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N

**Affected Products:**

**Product Collection**

**Vertical Segment**

**CPU ID**

**Platform ID**

10th Generation Intel® Core™ Processor Family

Mobile

706E5

80

Intel® Pentium® Processor Silver Series

Intel® Celeron® Processor J Series

Intel® Celeron® Processor N Series"

Desktop

Mobile

706A1

01

8th Generation Intel® Core™ Processor Family

Desktop

906EB

02

8th Generation Intel® Core™ Processors

Mobile

806EC

94

10th Generation Intel® Core™ Processor Family

Desktop

Mobile

A0653

A0655

AO661

806EC

22

02

80

94

6th Generation Intel® Core™ Processor Family

Desktop

Mobile

506E3

406E3

36

C0

7th Generation Intel® Core™ Processor Family

Desktop

Mobile

906E9

806E9

2A

C0

9th Generation Intel® Core Processor Family

Desktop

A0671

02

3rd Generation Intel® Xeon® Scalable Processors

Server

606AX

0x87

**Recommendations:**

Intel recommends that users of affected Intel® Processors update to the latest version firmware provided by the system manufacturer that addresses these issues. 

Intel has released microcode updates for the affected Intel® Processors that are currently supported on the public github repository. Please see details below on access to the microcode: 

GitHub\*: Public Github: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files

This CVE requires a Microcode Security Version Number (SVN) update. To address this issue, an SGX TCB recovery is planned for Q2 2022. Customers will require the microcode update to get successful attestation responses. For customers using the Intel Attestation Service (IAS), the IAS Development Environment (DEV) will enforce the microcode and software updates beginning June 21, 2022 and the IAS Production Environment (LIV) will enforce the updates beginning July 19, 2022.

For customers that are not using IAS, but instead are constructing their own attestation infrastructure using the Intel® SGX Provisioning Certificate Service (PCS), updated Endorsements/Reference Values (i.e., PCK Certificates and verification collateral) will be available June 28, 2022. These customers decide when to enforce the microcode and software update, as part of their Appraisal Policies.

Refer to Intel® SGX Attestation Technical Details for more information on the SGX TCB recovery process.

Further TCB Recovery Guidance for developers is available. 

**Acknowledgements:**

This issue was found internally by Intel employees. Intel would like to thank Alysa Milburn, Jason Brandt, Avishai Redelman, Nir Lavi for reporting this issue.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

05/10/2022

Initial Release

1.1

06/13/2022

Updated Recommendations

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel, processors, chipsets, and desktop boards may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at https://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  
Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2022-21151: INTEL-SA-00617

Improper buffer restrictions in firmware for some Intel(R) NUCs may allow a privileged user to potentially enable escalation of privilege via local access.

**Select Your Region**

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**Intel® NUC Firmware Advisory**

**Summary: **

Potential security vulnerabilities in some Intel® NUCs may allow escalation of privilege.  Intel is releasing firmware updates to mitigate these potential vulnerabilities.

**Vulnerability Details:**

CVEID: CVE-2022-24382

Description: Improper input validation in firmware for some Intel(R) NUCs may allow a privileged user to potentially enable escalation of privilege via local access.

CVSS Base Score: 7.5 High

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVEID: CVE-2022-24297

Description: Improper buffer restrictions in firmware for some Intel(R) NUCs may allow a privileged user to potentially enable escalation of privilege via local access.

CVSS Base Score: 7.5 High

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVEID: CVE-2022-21237

Description: Improper buffer access in firmware for some Intel(R) NUCs may allow a privileged user to potentially enable escalation of privilege via local access.

CVSS Base Score: 7.5 High

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

**Affected Products:**

Intel® NUC products with BIOS before version listed in table below are affected:

Product

BIOS Fixed Version Download Link

Intel® NUC M15 Laptop Kit - LAPBC510, LAPBC710

BCTGL357.0065

Intel® NUC X15 Laptop Kits - LAPKC71F, LAPKC71E, LAPKC51E

KCTGL357.0040

Intel® NUC Extreme Compute Element NUC11DBBi9 and NUC11DBBi7, and Intel® NUC 11 Extreme Kit NUC11BTMi7 and NUC11BTMi9

DBTGL579.0055

Intel® NUC 11 Compute Element CM11EBC4W, CM11EBi38W, CM11EBi58W, CM11EBi716W

EBTGL357.0057

Intel® NUC Kits NUC11PAQ, NUC11PAH, NUC11PA

PATGL357.0042

Intel® NUC Boards/Kits NUC11TN\[x\]i3, NUC11TN\[x\]i5, NUC11TN\[x\]i7

TNTGL357.0059

Intel® NUC11PHKi7C, NUC11PHKi7CAA

PHTGL579.0064

Intel® NUC 9 Pro Compute Element - NUC9V7QNB, NUC9VXQNB

Intel® NUC 9 Pro Kit - NUC9V7QNX, NUC9VXQNX

QNCFLX70.0064

Intel® NUC9i5QN, NUC9i7QN, NUC9i9QN

QXCFL579.0064

Intel® NUC Kits NUC8i3CYSM and NUC8i3CYSN

CYCNLi35.86A.0050

Intel® NUC 8 Compute Element CM8CCB, CM8i3CB, CM8i5CB, CM8i7CB, CM8PCB

CBWHL.0095

Intel® NUC Kit NUC8i7BE, NUC8i5BE, and NUC8i3B

BECFL357.0089

**Recommendations:**

Intel recommends updating the affected Intel® NUC BIOS firmware to the latest version (see provided table above).

Updates are available for download at the locations listed in the provided table above.

**Acknowledgements:**

Intel would like to thank Yngweijw (CVE-2022-24382) and Dmitry Frolov (CVE-2022-24297, CVE-2022-21237) for reporting these issues.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

05/10/2022

Initial Release

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel, processors, chipsets, and desktop boards may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at https://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  
Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2022-24297: INTEL-SA-00654

Uncontrolled search path in the Intel(R) XTU software before version 7.3.0.33 may allow an authenticated user to potentially enable escalation of privilege via local access.

**Select Your Region**

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**Intel® XTU Advisory**

**Summary: **

A potential security vulnerability in the Intel® Extreme Tuning Utility (XTU) software may allow escalation of privilege.  Intel is releasing software updates to mitigate this potential vulnerability.

**Vulnerability Details:**

CVEID: CVE-2022-22139

Description: Uncontrolled search path in the Intel(R) XTU software before version 7.3.0.33 may allow an authenticated user to potentially enable escalation of privilege via local access.

CVSS Base Score: 6.7 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

**Affected Products:**

Intel® XTU software before version 7.3.0.33.

**Recommendations:**

Intel recommends updating the Intel® XTU software to version 7.3.0.33 or later.

Updates are available for download at this location:

https://www.intel.com/content/www/us/en/download/17881/intel-extreme-tuning-utility-intel-xtu.html

**Acknowledgements:**

Intel would like to thank Marius Gabriel Mihai for reporting this issue.

Intel and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

05/10/2022

Initial Release

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel, processors, chipsets, and desktop boards may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at https://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  
Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2022-22139: INTEL-SA-00663

Observable behavioral discrepancy in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access.

**Select Your Region**

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**Intel® Processor Speculative Cross Store Bypass Advisory**

**Summary: **

A potential security vulnerability in Intel® Processors may allow information disclosure.  Intel is releasing prescriptive guidance to address this potential vulnerability.

**Vulnerability Details:**

CVEID:  CVE-2021-33149

Description: Observable behavioral discrepancy in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access.

CVSS Base Score: 2.5 Low

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

**Affected Products:  
**

All Intel® Processor families.

**Recommendations:**

Intel is releasing prescriptive guidance to mitigate this issue.

_Prescriptive guidance:_ Intel recommends that any potential gadget utilize an LFENCE after loads that should observe writes from another thread to the same shared memory address.

**Acknowledgements:**

Intel would like to thank Danping Li and Ziyuan Zhu from Institute of Information Engineering, Chinese Academy of Sciences for reporting this issue.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

05/10/2022

Initial Release

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel, processors, chipsets, and desktop boards may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at https://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  
Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2021-33149: INTEL-SA-00648

An exploitable use-after-free vulnerability exists in WPS Spreadsheets ( ET ) as part of WPS Office, version 11.2.0.10351. A specially-crafted XLS file can cause a use-after-free condition, resulting in remote code execution. An attacker needs to provide a malformed file to the victim to trigger the vulnerability.

**Summary**

An exploitable use-after-free vulnerability exists in WPS Spreadsheets ( ET ) as part of WPS Office, version 11.2.0.10351. A specially-crafted XLS file can cause a use-after-free condition, resulting in remote code execution. An attacker needs to provide a malformed file to the victim to trigger the vulnerability.

**Tested Versions**

WPS Office 11.2.0.10351

**Product URLs**

WPS Office - https://www.wps.com/

**CVSSv3 Score**

8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

**CWE**

CWE-416 - Use After Free

**Details**

WPS Office previously known as a Kingsoft Office is a suite of tools used for productivity in both a corporate environment as well as by end-users. It offers a range of tools that can be used for various purposes. Such as WPS Spreadsheets for spreadsheets, WPS Writer for document editing, and so on.

A specially-crafted XLS file written in a proper form of HTML/XML tags can lead to a use-after-free vulnerability and remote code execution. Let us run our malformed xls file in ET.exe using debugger:

    (6a4.1674): Access violation - code c0000005 (first/second chance not available)
    First chance exceptions are reported before any exception handling.
    This exception may be expected and handled.
    Time Travel Position: 6E147E:0
    eax=00000000 ebx=0d4eeeb8 ecx=00000000 edx=00000000 esi=1ccb5dcb edi=5f06dfb8
    eip=0228282b esp=0d4eedb0 ebp=0d4eee58 iopl=0         nv up ei pl nz na po nc
    cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
    0228282b 006200          add     byte ptr [edx],ah          ds:002b:00000000=??
    
    
    0:011> kb
     # ChildEBP RetAddr      Args to Child              
    WARNING: Frame IP not in any known module. Following frames may be wrong.
    00 0d4eee58 0dd5b0b8     00000000 06dbd130 06dbd170 0x228282b
    01 0d4eef20 5f0b0a75     1ccb432f 07b5f1a0 00000000 0xdd5b0b8
    02 0d4ef310 5f0afba4     07b6b670 00000000 1ccb45df html2!html2::HtmlParser::parseStream+0x75
    03 0d4ef5e0 5f2fd0e0     00f6d814 00000001 0d4ef694 html2!html2::HtmlParser::parse+0x2a4
    04 0d4ef8b4 5f2d41ef     00f6d814 06d81ea8 00000000 ethtmlrw2!html2::StrmUtf8Converter::~StrmUtf8Converter+0x42b0
    05 0d4ef8f0 5f2d4bf9     06bdbd40 5f2d5f3f f114ab06 ethtmlrw2!chart::KETChartDataSourceProvider::getContextOOXML+0xbf
    06 0d4ef920 75a64f9f     07a63158 45279ebd 75a64f60 ethtmlrw2!chart::KETChartDataSourceProvider::getContextOOXML+0xac9
    07 0d4ef958 776ffa29     075b0798 776ffa10 0d4ef9c4 ucrtbase!thread_start<unsigned int (__stdcall*)(void *),1>+0x3f
    08 0d4ef968 77847a9e     075b0798 02cb572f 00000000 KERNEL32!BaseThreadInitThunk+0x19
    09 0d4ef9c4 77847a6e     ffffffff 77868a4e 00000000 ntdll!__RtlUserThreadStart+0x2f
    0a 0d4ef9d4 00000000     75a64f60 075b0798 00000000 ntdll!_RtlUserThreadStart+0x1b
    

Looks like execution flow has been redirected into a non-executable area:

    0:011> !address 0228282b
    
    Usage:                  <unknown>
    Base Address:           02270000
    End Address:            022da000
    Region Size:            0006a000 ( 424.000 kB)
    State:                  00001000          MEM_COMMIT
    Protect:                00000004          PAGE_READWRITE
    Type:                   00020000          MEM_PRIVATE
    Allocation Base:        02270000
    Allocation Protect:     00000001          PAGE_NOACCESS
    

Let’s check the memory content: 0:011> db 02282828 02282828 74 00 61 00 62 00 6c 00-65 00 00 00 74 00 62 00 t.a.b.l.e…t.b. 02282838 6f 00 64 00 79 00 00 00-74 00 66 00 6f 00 6f 00 o.d.y…t.f.o.o. 02282848 74 00 00 00 74 00 68 00-65 00 61 00 64 00 00 00 t…t.h.e.a.d… 02282858 6c 00 6f 00 63 00 6b 00-00 00 00 00 70 00 61 00 l.o.c.k…..p.a. 02282868 74 00 68 00 00 00 00 00-73 00 6b 00 65 00 77 00 t.h…..s.k.e.w. 02282878 00 00 00 00 67 00 72 00-6f 00 75 00 70 00 00 00 ….g.r.o.u.p… 02282888 6f 00 76 00 61 00 6c 00-00 00 00 00 63 00 75 00 o.v.a.l…..c.u. 02282898 72 00 76 00 65 00 00 00-72 00 67 00 62 00 28 00 r.v.e…r.g.b.(. 0:011> du 02282828 02282828 “table”

We can clearly see that indeed program execution ended in a non executable area (data). When we take a few steps back to see the moment of a code execution redirection we see the following code:

    0:011> r
    eax=0228bea0 ebx=0228bed0 ecx=0228bed0 edx=013e0000 esi=0dd5bd78 edi=0d4eee58
    eip=5f06dfb5 esp=0d4eed94 ebp=0d4eedf4 iopl=0         nv up ei pl nz na po nc
    cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
    html2!html2::HtmBoxRefOperator::imitateBoxFlags+0x365:
    5f06dfae 8b5d08         mov     ebx, dword ptr [ebp+8]
    5f06dfb1 8bcb           mov     ecx, ebx
    5f06dfb3 8b03           mov     eax, dword ptr [ebx]	
    5f06dfb5 ff5034         call    dword ptr [eax+34h]  ds:002b:0228bed4=02282828
    

Looks like a typical call to one of the virtual functions. It is highly probable that the object has been released before and a vftable pointer 0228bed0 has been overwritten. Setting a write access breakpoint on 0228bed0, let’s execute our software again:

    0:011> g-
    Breakpoint 0 hit
    Time Travel Position: 6E1064:A7
    eax=0228bea0 ebx=0228bed0 ecx=00a6e000 edx=0000000b esi=01437c70 edi=06cd5a98
    eip=6a437c7d esp=0d4eec08 ebp=0d4eec14 iopl=0         nv up ei pl nz na po nc
    cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
    kso!mfxGlobalFree2+0x5d:
    6a437c7d 8b4704          mov     eax,dword ptr [edi+4] ds:002b:06cd5a9c=00000055
    0:011> kb
     # ChildEBP RetAddr      Args to Child              
    WARNING: Stack unwind information not available. Following frames may be wrong.
    00 0d4eec14 5f06d818     0000000b 00000030 1ccb5c03 kso!mfxGlobalFree2+0x5d
    01 0d4eec3c 5f0b649f     1ccb5c53 0d4ef078 07ba5174 html2!html2::HtmCreator::createXmlNodesRef+0x4f8
    02 0d4eec6c 5f0c22c0     07ba5174 0d4eef38 0d4eef38 html2!html2::StrIdSet::gainLower+0xbf
    03 0d4eec90 5f0c8d34     022812e0 07b60f01 5f0c90f0 html2!html2::ParserContext::urlStack+0xac00
    04 0d4eeca4 5f0c8a47     022812e0 00000000 07b60f01 html2!html2::ParserContext::urlStack+0x11674
    05 0d4eecd0 5f0c6dfc     022812e0 07b60f01 0d4eef38 html2!html2::ParserContext::urlStack+0x11387
    06 0d4eecf8 5f0c8a96     00020000 00000001 0d4ef3f4 html2!html2::ParserContext::urlStack+0xf73c
    07 0d4eed20 5f0c6dfc     022812f0 07b60f01 0d4eef38 html2!html2::ParserContext::urlStack+0x113d6
    08 0d4eed48 5f0c7c40     00084404 00000000 00000000 html2!html2::ParserContext::urlStack+0xf73c
    09 0d4eed70 5f0c4d7c     022812f0 00000000 00000001 html2!html2::ParserContext::urlStack+0x10580
    0a 0d4eed90 5f0b24da     022812f0 00000000 07ba6ff0 html2!html2::ParserContext::urlStack+0xd6bc
    0b 0d4eedc8 5f0b32f0     07b6b670 07b15e70 0d4ef668 html2!html2::HtmDocument::topBoxs+0x197a
    0c 0d4eee00 5f0b2271     1ccb5e07 07b6b670 0d4eef38 html2!html2::HtmDocument::topBoxs+0x2790
    0d 0d4eee38 5f0cb8c5     00000003 0074683c 0d4eef38 html2!html2::HtmDocument::topBoxs+0x1711
    0e 0d4eef20 5f0b0a75     1ccb432f 07b5f1a0 00000000 html2!html2::ParserContext::urlStack+0x14205
    0f 0d4ef310 5f0afba4     07b6b670 00000000 1ccb45df html2!html2::HtmlParser::parseStream+0x75
    10 0d4ef5e0 5f2fd0e0     00f6d814 00000001 0d4ef694 html2!html2::HtmlParser::parse+0x2a4
    11 0d4ef8b4 5f2d41ef     00f6d814 06d81ea8 00000000 ethtmlrw2!html2::StrmUtf8Converter::~StrmUtf8Converter+0x42b0
    12 0d4ef8f0 5f2d4bf9     06bdbd40 5f2d5f3f f114ab06 ethtmlrw2!chart::KETChartDataSourceProvider::getContextOOXML+0xbf
    13 0d4ef920 75a64f9f     07a63158 45279ebd 75a64f60 ethtmlrw2!chart::KETChartDataSourceProvider::getContextOOXML+0xac9
    14 0d4ef958 776ffa29     075b0798 776ffa10 0d4ef9c4 ucrtbase!thread_start<unsigned int (__stdcall*)(void *),1>+0x3f
    15 0d4ef968 77847a9e     075b0798 02cb572f 00000000 KERNEL32!BaseThreadInitThunk+0x19
    16 0d4ef9c4 77847a6e     ffffffff 77868a4e 00000000 ntdll!__RtlUserThreadStart+0x2f
    17 0d4ef9d4 00000000     75a64f60 075b0798 00000000 ntdll!_RtlUserThreadStart+0x1b
    

Our hypothesis has been confirmed. What’s important for us here is that the object has been released via a call to kso!mfxGlobalFree2. If we track its allocation :

    dx -r1 -g @$cursession.TTD.Calls("kso!mfxGlobalAlloc2").Where( x => x.ReturnValue == `0x0228bed0`)
    

We get additional information that our object represents a table:

    .text:5F06CEF0 public: static struct html2::HtmTable * __cdecl html2::HtmCreator::createHtmTableAlt(void) proc near
    .text:5F06CEF0                 push    30h ; '0'
    .text:5F06CEF2                 call    mfxGlobalAlloc2
    .text:5F06CEF7                 mov     dword ptr [eax], offset const html2::HtmTableAltImpl::`vftable'
    .text:5F06CEFD                 mov     dword ptr [eax+4], 0
    .text:5F06CF04                 mov     dword ptr [eax+8], 0
    .text:5F06CF0B                 mov     dword ptr [eax+0Ch], 0
    .text:5F06CF12                 mov     dword ptr [eax+10h], 0
    .text:5F06CF19                 mov     dword ptr [eax+14h], 0
    .text:5F06CF20                 mov     dword ptr [eax+18h], 0
    .text:5F06CF27                 mov     dword ptr [eax+1Ch], 0
    .text:5F06CF2E                 mov     dword ptr [eax+20h], 0
    .text:5F06CF35                 mov     dword ptr [eax+24h], 0
    .text:5F06CF3C                 mov     dword ptr [eax+28h], 0
    .text:5F06CF43                 mov     word ptr [eax+2Ch], 0
    .text:5F06CF49                 retn	
    
    0:011> r
    eax=`0228bed0` ebx=07ba51b4 ecx=0228bed0 edx=00000037 esi=07ba51b4 edi=079b1810
    eip=5f06cef7 esp=0d4eebf0 ebp=0d4eec68 iopl=0         nv up ei pl nz na pe nc
    cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000206
    html2!html2::HtmCreator::createHtmTableAlt+0x7:
    5f06cef7 c700b0be105f    mov     dword ptr [eax],offset html2::HtmTableAltImpl::`vftable' (5f10beb0) ds:002b:0228bed0=0228bf00	
    

Proper heap grooming can give an attacker full control of this use-after-free vulnerability and as a result could allow it to be turned into arbitrary code execution.

**Crash Information**

    (6a4.1674): Break instruction exception - code 80000003 (first/second chance not available)
    Time Travel Position: 6E147D:7D
    eax=0228bea0 ebx=0228bed0 ecx=0228bed0 edx=013e0000 esi=0dd5bd78 edi=0d4eee58
    eip=5f06dfb5 esp=0d4eed94 ebp=0d4eedf4 iopl=0         nv up ei pl nz na po nc
    cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
    html2!html2::HtmBoxRefOperator::imitateBoxFlags+0x365:
    5f06dfb5 ff5034          call    dword ptr [eax+34h]  ds:002b:0228bed4=02282828
    0:011> g
    (6a4.1674): Access violation - code c0000005 (first/second chance not available)
    First chance exceptions are reported before any exception handling.
    This exception may be expected and handled.
    Time Travel Position: 6E147E:0
    eax=00000000 ebx=0d4eeeb8 ecx=00000000 edx=00000000 esi=1ccb5dcb edi=5f06dfb8
    eip=0228282b esp=0d4eedb0 ebp=0d4eee58 iopl=0         nv up ei pl nz na po nc
    cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
    0228282b 006200          add     byte ptr [edx],ah          ds:002b:00000000=??
    0:011> kb
     # ChildEBP RetAddr      Args to Child              
    WARNING: Frame IP not in any known module. Following frames may be wrong.
    00 0d4eee58 0dd5b0b8     00000000 06dbd130 06dbd170 0x228282b
    01 0d4eef20 5f0b0a75     1ccb432f 07b5f1a0 00000000 0xdd5b0b8
    02 0d4ef310 5f0afba4     07b6b670 00000000 1ccb45df html2!html2::HtmlParser::parseStream+0x75
    03 0d4ef5e0 5f2fd0e0     00f6d814 00000001 0d4ef694 html2!html2::HtmlParser::parse+0x2a4
    04 0d4ef8b4 5f2d41ef     00f6d814 06d81ea8 00000000 ethtmlrw2!html2::StrmUtf8Converter::~StrmUtf8Converter+0x42b0
    05 0d4ef8f0 5f2d4bf9     06bdbd40 5f2d5f3f f114ab06 ethtmlrw2!chart::KETChartDataSourceProvider::getContextOOXML+0xbf
    06 0d4ef920 75a64f9f     07a63158 45279ebd 75a64f60 ethtmlrw2!chart::KETChartDataSourceProvider::getContextOOXML+0xac9
    07 0d4ef958 776ffa29     075b0798 776ffa10 0d4ef9c4 ucrtbase!thread_start<unsigned int (__stdcall*)(void *),1>+0x3f
    08 0d4ef968 77847a9e     075b0798 02cb572f 00000000 KERNEL32!BaseThreadInitThunk+0x19
    09 0d4ef9c4 77847a6e     ffffffff 77868a4e 00000000 ntdll!__RtlUserThreadStart+0x2f
    0a 0d4ef9d4 00000000     75a64f60 075b0798 00000000 ntdll!_RtlUserThreadStart+0x1b
    
    0:011> lmDvmet
    Browse full module list
    start    end        module name
    00d20000 00e6b000   et         (export symbols)       et.exe
        Loaded symbol image file: et.exe
        Mapped memory image file: c:\Users\icewall\AppData\Local\Kingsoft\WPS Office\11.2.0.10351\office6\et.exe
        Image path: c:\Users\icewall\AppData\Local\Kingsoft\WPS Office\11.2.0.10351\office6\et.exe
        Image name: et.exe
        Browse all global symbols  functions  data
        Timestamp:        Sat Oct 23 14:16:30 2021 (6173FD1E)
        CheckSum:         00153DB1
        ImageSize:        0014B000
        File version:     11.2.0.10351
        Product version:  11.2.0.10351
        File flags:       0 (Mask 3F)
        File OS:          40004 NT Win32
        File type:        0.0 Unknown
        File date:        00000000.00000000
        Translations:     0000.04b0
        Information from resource tables:
            CompanyName:      Zhuhai Kingsoft Office Software Co.,Ltd
            ProductName:      WPS Office
            InternalName:     et
            OriginalFilename: et.exe
            ProductVersion:   11,2,0,10351
            FileVersion:      11,2,0,10351
            FileDescription:  WPS Spreadsheets
            LegalCopyright:   Copyright©2021 Kingsoft Corporation. All rights reserved.
    

**Vendor Response**

For international edition: https://www.wps.com/office/windows/ For domestic personal edition: https://official-package.wpscdn.cn/wps/download/WPS\_Setup\_11691.exe For enterprise edition: https://wps-cn-ep.ks3-cn-beijing.ksyun.com/wps/download/ep/WPS2019/WPSPro\_11.8.2.11542.exe If you need to get the WPS official disclosure about the vulnerability, you can visit this link: https://security.wps.cn/notices/28

https://official-package.wpscdn.cn/wps/download/WPS\_Setup\_11691.exe

**Timeline**

2021-11-18 - Vendor disclosure  
2021-12-15 - 30 day follow up  
2022-01-07 - 60 day follow up  
2022-01-13 - Reissued copies of advisories to vendor per request  
2022-04-02 - Talos granted disclosure extension  
2022-05-02 - Vendor patched  
2022-05-09 - Public Release  

Discovered by Marcin "Icewall" Noga of Cisco Talos.

Tag

#intel