SentinelLabs uncovered a number of critical issues in driver software that harm a variety of cloud services.
Third-party libraries, such as Eltima SDK, are used by cloud desktop solutions like Amazon Workspaces to provide ‘USB over Ethernet’ capabilities, which allow users to connect and share local devices like webcams. Millions of users use these cloud services around the world.
Cloud clients unknowingly inherit vulnerabilities in Eltima SDK, derivative products, and proprietary variations.
Attackers can use these flaws to gain elevated privileges, allowing them to disable security products, overwrite system components, corrupt the operating system, and carry out malicious operations without being detected.
To address these issues, vendors have published security patches. We provide information about a number of vulnerabilities uncovered in key cloud services such as
- Amazon Nimble Studio AMI, prior to: 2021/07/29
- Amazon NICE DCV, below: 2021.1.7744 (Windows), 2021.1.3560 (Linux), 2021.1.3590 (Mac), 2021/07/30
- Amazon WorkSpaces agent, below: v22.214.171.1247, 2021/07/31
- Amazon AppStream client version below: 1.1.304, 2021/08/02
- NoMachine [all products for Windows], above v4.0.346 below v.7.7.4 (v.6.x is being updated as well)
- Accops HyWorks Client for Windows: version v126.96.36.199 or older
- Accops HyWorks DVM Tools for Windows: version 188.8.131.52 or lower (Part of Accops HyWorks product earlier than v3.3 R3)
- Eltima USB Network Gate below 9.2.2420 above 7.0.1370
- Amzetta zPortal Windows zClient <= v3.2.8180.148
- Amzetta zPortal DVM Tools <= v184.108.40.206
- FlexiHub below 5.2.14094 (latest) above 3.3.11481
- Donglify below 1.7.14110 (latest) above 1.0.12309.
The Mountain View, California-based firm disclosed a series of privilege escalation vulnerabilities in Dell’s firmware update driver known as “dbutil 2 3.sys” that had gone unnoticed for over a decade. Then, in July, it revealed a high-severity buffer overflow bug in “ssport.sys,” which is utilised in HP, Xerox, and Samsung printers, that had gone unnoticed since 2005.
SentinelOne also reported a high-severity flaw in the HP OMEN driver software “HpPortIox64.sys” in September, which could allow threat actors to elevate privileges to kernel mode without requiring administrator permissions, allowing them to disable security products, overwrite system components, and even corrupt the operating system
Researchers stated that,” vulnerabilities in third-party code have the potential to compromise a large number of goods, systems, and, ultimately, end users. The outsized impact of insecure dependent code is amplified even more when it arises in cloud-based applications. We strongly advise any companies that rely on the impacted services to examine the above advice and take appropriate action.
SentinelLabs regularly invests in public cloud research, including sophisticated threat modelling and vulnerability testing of cloud platforms and related technologies, as part of our commitment to developing public cloud security. We strongly advise using the SentinelOne Singularity platform for optimum security.
Finally the cybersecurity firm concluded that , “an attacker with access to an organization’s network may also get access to execute code on unpatched computers and utilise this vulnerability to gain local elevation of privilege.” “Attackers can then use additional strategies, such as lateral movement, to pivot to the larger network.”