Multiple critical vulnerabilities in remote student monitoring software Netop Vision Pro could allow an attacker to execute arbitrary code and take over Windows machines. Although the flaws had been patched, it wasn’t until March 21 that McAfee released the analysis in which they detail their methods and findings.
“These findings allow for elevation of privileges and ultimately remote code execution which could be used by a malicious attacker within the same network to gain full control over students’ computers,” the McAfee Labs Advanced Threat Research team said in an analysis.
Netop is a Denmark-based company that makes software for remotely accessing and supporting devices and has offices in the United States, Romania, and Switzerland. Netop counts half of the Fortune 100 companies among its customers and over 3 million teachers and students rely on its software.
The flaws
McAfee reported the vulnerabilities, tracked as CVE-2021-27192, CVE-2021-27193, CVE-2021-27194, and CVE-2021-27195, to Netop on December 11, 2020. Netop quickly moved to fix the issues in an update (version 9.7.2) released on February 25.
“We were thrilled that Netop was able to deliver an updated version in February 2021, effectively patching many of the critical vulnerabilities,” McAfee stated in the report.
Netop Vision Pro, the software company’s flagship product, allows teachers to remotely perform tasks on students’ computers in real-time like launching applications and websites.
During McAfee’s investigation, several design flaws were uncovered, including a critical vulnerability with a score of 9.5 out of a maximum of 10 in the CVSS rating system.
The consequences
The consequences of such exploitation could be the deployment of ransomware, the installation of keylogging software, or the chaining of CVE-2021-27195 and CVE-2021-27193 to view webcam streams of individual users, McAfee warned.
While Netop patched most of the vulnerabilities, the company did not implement network encryption, which they promised to add in a future update.
“An attacker doesn’t have to compromise the school network; all they need is to find any network where this software is accessible, such as a library, coffee shop or home network,” explained McAfee researchers. “It doesn’t matter where one of these student’s PCs gets compromised, as a well-designed malware could lay dormant and scan each network the infected PC connects to until it finds other vulnerable instances of Netop Vision Pro to further propagate the infection.”
The remote attacker then gains full control of the system, they added.
These findings come shortly after the US investigative agency Federal Bureau warned last week of an increase in PYSA (aka Mespinoza) ransomware attacks on educational institutions in the US and UK.