A flaw in the eCatcher desktop software could provide attackers access - ICSS

“Permissions on files and directories for the eCatcher Talk2MVpnService service do not effectively enforce access controls. Sensitive configuration files, for example, are designated as world-writable,” the researchers stated in an alert. “Because this service is run by the NT Authority SYSTEM user, these excessive permissions may result in privilege escalation on the server.”

Users have “full read/write rights over the directory,” which is used to “temporarily write Open VPN configuration files,” according to Bishop Fox, which means “a user or malware on the system that successfully replaces it could perform privilege escalation when the It is read by the privileged openvpn process. “When a VPN connection is established, the Talk2MVpn Service service recreates the configuration file and prepends the filename with a random UUID, making it unpredictable,” they explained. “As a result, the attack window for exploitation was around 15 ms, making the working exploit untrustworthy.”

While “it is difficult to exploit this race condition,” Priyank Nigam, senior security expert at Bishop Fox, pointed out that if it was, “it would lead to privilege escalation on a Windows machine.” An attacker can then pivot inside the company’s network (lateral movement).”

“In the post-Kaseya era, it’s easy to look at this vulnerability for a remote management tool and conclude this could be Kaseya 2.0, but that’s incorrect for two reasons,” said AJ King, CISO of BreachQuest.

“First, because eCatcher has a very modest market share (orders of magnitude smaller than Kaseya), the exposed population is much smaller. Second, this is a vulnerability that can only be exploited locally,” he explained. “The Kaseya vulnerability enables threat actors to acquire remote access to systems, whereas the eCatcher vulnerability only allows for local privilege escalation.” So, in order for it to be triggered, a “threat actor” must already be present on the machine. This is the type of vulnerability that is really straightforward to find,” King explained.

Yaniv Bar-Dayan, CEO and co-founder of Vulcan Cyber, agreed that the vulnerability is “very obscure” and would necessitate a number of stars aligning before it could be exploited. ”Nonetheless, the weakness is troubling. “The stars have aligned for less, but it has resulted in more. Depending on a few conditions, it could do major damage to enterprises that use eCatcher Desktop,” stated Bar-Dayan.

“Vulnerabilities like CVE-2021-33214 will not garner a lot of attention on their own, but this is why vulnerability management programmes must work to prioritise threats specific to their business using IT asset data, threat intelligence, vulnerability severity, and, most importantly, multi-input risk modelling and analysis to identify specific risk to a specific business or business unit,” he explained.

“From a security standpoint, these crucial components are largely unaudited. This is an industrial VPN equipment, for example, and there are many more like it,” Nigam explained. “A motivated attacker may expend more effort to construct a better vulnerability than just a proof of concept.”