If hackers exploit a filesystem permissions vulnerability recently found in the Ewon eCatcher Desktop app, they could access files that would allow them to disclose sensitive information, modify configuration files or disrupt normal system operation, according to the researchers at Bishop Fox who discovered the flaw.

That’s particularly troubling since organizations use eCatcher to remotely manage devices in highly secure environments.

“Files and directories for the eCatcher Talk2MVpnService service have permissions that do not properly enforce access controls. For example, sensitive configuration files are marked as world-writable,” the researchers said in an alert. “Since this service runs under the NT Authority\SYSTEM user, these excessive permissions could lead to privilege escalation on the server.”

Bishop Fox said users “have full read/write rights over the directory,” which is used to “temporarily write OpenVPN configuration files,” which means “a user or malware on the system that replaces it successfully could perform privilege escalation when the privileged openvpn process reads it.”

When a VPN connection is initiated, the Talk2MVpnService service recreates the configuration file “and prepends the filename with a random UUID, making it unpredictable,” they said. “Hence, the attack window for exploitation was approximately 15 ms, which made the working exploit unreliable.”

While “it’s difficult to exploit this race condition,” Priyank Nigam, senior security consultant at Bishop Fox noted that, if it was exploited, “that would lead to privilege escalation on a Windows machine. From there, an attacker can pivot into the company’s network (lateral movement).”

“In the post-Kaseya era, it’s easy to look at this vulnerability for a remote management tool and think this might be Kaseya 2.0, there are two reasons that’s wrong,” said AJ King, CISO at BreachQuest.

“First, eCatcher has a very limited market share (orders of magnitude smaller than Kaseya) so the vulnerable population is significantly smaller. Second, this is a locally exploitable vulnerability,” he said. “The Kaseya vulnerability allowed threat actors to gain access to systems remotely, however, the eCatcher vulnerability only allows local privilege escalation.” So, essentially, a “threat actor must already be on the machine to trigger it. This is the sort of vulnerability that is extremely easy to discover,” King said.

Yaniv Bar-Dayan, CEO and co-founder at Vulcan Cyber, agreed that the vulnerability is “rather obscure” and would require quite a few stars to align before it could be hacked.”

Still, the flaw is troubling. “The stars have aligned for less and led to more. For organizations using eCatcher Desktop, it could lead to significant damage to their business, depending on a few factors,” said Bar-Dayan.

“Vulnerabilities like CVE-2021-33214 by themselves won’t get a ton of attention, but this is why vulnerability management programs must work to prioritize threats specific to their business using IT asset data, threat intelligence, vulnerability severity, and, most importantly, multi-input risk modeling and analysis to identify specific risk to a specific business or business unit,” he said.

“These critical components are fairly unaudited from a security point of view. For example, this is an industrial VPN device, and there are many more like these,” said Nigam. “A motivated attacker could put in more effort to develop a better exploit rather than just a proof of concept.”

Bishop Fox discovered the vulnerability in April 2021, then reported it to Ewon, which acknowledged it in May and issued a patch July 7.

Recent Articles By Author

• MSG Breach: Knicks Take the NBA Championship, ShinyHunters Takes the Data 
• Conan O’Brien Deadpans Deepfakes
• NYC Sewers Crawling With Rats and Potential Bad Actors 

More from Teri Robinson