Multiple vulnerabilities in Eltima’s third-party driver software have been “unwittingly inherited” by cloud desktop solutions such as Amazon Workspaces, Accops, and NoMachine. They may give attackers a way to do a wide range of nefarious operations.
According to SentinelOne experts, these vulnerabilities allow attackers to escalate privileges, allowing them to disable security products, replace system components, damage the operating system, or undertake malicious actions without being detected.
Amazon Nimble Studio AMI, Amazon NICE DCV, Amazon WorkSpaces, Amazon AppStream, NoMachine, Accops HyWorks, Accops HyWorks DVM Tools, Eltima USB Network Gate, Amzetta zPortal Windows zClient, Amzetta zPortal DVM Tools, FlexiHub, and Donglify have all subsequently patched the problems.
The problems are rooted in an Eltima product that provides “USB over Ethernet” features, allowing desktop virtualization services such as Amazon WorkSpaces to route connected USB drives like webcams to their remote computer. The vulnerabilities may be traced back to two USB redirection drivers, “wspvuhub.sys” and “wspusbfilter.sys,” which led to a buffer overflow situation that might result in the execution of arbitrary code with kernel-mode privileges.
According to the cybersecurity firm, an attacker with access to an organization’s network may be able to execute code on unpatched computers and leverage this vulnerability to acquire local elevation of privilege. Attackers can then use additional strategies, such as lateral movement, to pivot to the more extensive network. SentinelOne has discovered a fourth set of security vulnerabilities impacting software drivers since the beginning of the year.
SentinelOne revealed a high-severity bug in the HP OMEN driver software “HpPortIox64.sys” earlier in September. It might allow threat actors to get kernel-mode access without having administrator authorization, allowing attackers to deactivate security products, overwrite system components, and even ruin the operating system.