Hashim Jawad

**Name of the Vulnerable Software and Affected Versions** SonicWall Connect Tunnel versions 12.4.3.271 and earlier of Windows client **Description** The issue allows users with standard privileges to delete arbitrary folders and files, potentially leading to a local privilege escalation attack. This is due to improper link resolution before file access, also known as 'Link Following'. **Recommendations** For SonicWall Connect Tunnel versions 12.4.3.271 and earlier of Windows client, update to a version later than 12.4.3.271 to resolve the issue. As a temporary workaround, consider restricting access to sensitive files and folders to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** SonicWall Connect Tunnel versions 12.4.3.271 and earlier **Description** The issue allows users with standard privileges to create arbitrary folders and files, potentially leading to a local Denial of Service (DoS) attack due to improper link resolution before file access. **Recommendations** For SonicWall Connect Tunnel versions 12.4.3.271 and earlier, update to a version later than 12.4.3.271 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Trend Micro VPN Proxy One Pro versions 5.8.1012 and below **Description** The issue is related to an arbitrary file overwrite or create attack, which can lead to a local Denial of Service (DoS) and, under specific conditions, elevation of privileges. It is also associated with the possibility of deleting arbitrary files in the system, potentially allowing an attacker to gain elevated privileges. **Recommendations** For versions 5.8.1012 and below, update to a version above 5.8.1012 to resolve the issue. At the moment, there is no information about additional mitigation measures for this specific vulnerability.

Name of the Vulnerable Software and Affected Versions: Docker Desktop versions prior to 4.31.0 Description: The issue is related to a configuration flaw in the exec-path Docker daemon config option, allowing a user in the docker-users group to cause a Windows Denial-of-Service in Windows containers mode. This is due to inadequate access control. The estimated number of potentially affected devices worldwide is not specified. There is no information about real-world incidents where this issue was exploited. The vulnerability can be exploited through the `exec-path` Docker daemon config option, which is a part of the Docker Desktop platform for developing and delivering containerized applications. Recommendations: For Docker Desktop versions prior to 4.31.0, update to version 4.31.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the `exec-path` Docker daemon config option to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Trend Micro VPN versions 5.8.1012 and below Trend Micro VPN Proxy One Pro (affected versions not specified) **Description** The issue is related to incorrect link resolution before accessing a file in the DEP Manager component of Trend Micro VPN Proxy One Pro for Windows. This can allow an attacker to elevate their privileges under specific conditions. The vulnerability may lead to arbitrary file overwrite, resulting in privilege escalation. **Recommendations** For Trend Micro VPN versions 5.8.1012 and below, update to a version above 5.8.1012 to resolve the issue. For Trend Micro VPN Proxy One Pro, at the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, consider restricting access to sensitive files and directories to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Trend Micro VPN Proxy Pro versions 5.2.1026 and below **Description** The issue involves overly permissive folders in a key directory, which could allow a local attacker to obtain privilege escalation on an affected system. **Recommendations** For versions 5.2.1026 and below, consider restricting access to the key directory until a patch is available. As a temporary workaround, review and adjust the permissions of the overly permissive folders to prevent local privilege escalation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** NVIDIA GeForce Experience versions prior to 3.20.5.70 **Description** The issue concerns a vulnerability in the ShadowPlay component of NVIDIA GeForce Experience, potentially leading to local privilege escalation, code execution, denial of service, or information disclosure. **Recommendations** For versions prior to 3.20.5.70, update to version 3.20.5.70 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Overwolf versions prior to 0.149.2.30 **Description** The issue is related to the mishandling of Symbolic Links during updates, which can cause elevation of privileges. **Recommendations** For versions prior to 0.149.2.30, update to version 0.149.2.30 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** IDrive versions prior to 6.7.3.19 **Description** The issue allows any standard user to escalate privileges to NT AUTHORITYSYSTEM by substituting the IDriveService binary with a malicious one due to weak folder permissions. The program installs by default to %PROGRAMFILES(X86)%IDriveWindows with permissions granting any user modify permission to the directory and its sub-folders. The IDriveService runs as LocalSystem, enabling privilege escalation. **Recommendations** For versions prior to 6.7.3.19, update to version 6.7.3.19 or later to resolve the issue. As a temporary workaround, consider restricting access to the IDriveService binary to prevent substitution with a malicious one. Additionally, review and adjust the folder permissions of the %PROGRAMFILES(X86)%IDriveWindows directory to prevent unauthorized modifications.

**Name of the Vulnerable Software and Affected Versions** G.SKILL Trident Z Lighting Control versions 1.00.08 and earlier **Description** The issue allows local non-privileged users to access sensitive operations, including mapping and un-mapping of physical memory, reading and writing to Model Specific Register (MSR) registers, and input from and output to I/O ports. This exposure leads to privilege escalation to NT AUTHORITYSYSTEM. **Recommendations** For versions 1.00.08 and earlier, consider disabling the ene.sys driver as a temporary workaround to minimize the risk of exploitation. Restrict access to the affected driver to prevent local non-privileged users from escalating privileges to NT AUTHORITYSYSTEM. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Docker Desktop Enterprise versions prior to 2.1.0.9 Docker Desktop for Windows Stable versions prior to 2.2.0.4 Docker Desktop for Windows Edge versions prior to 2.2.2.0 LibreNMS versions prior to 1.48 **Description** The issue allows for local privilege escalation and arbitrary file writes due to mishandling of diagnostics collection with Administrator privileges. Additionally, there is a problem with insufficient validation or encoding of user-supplied input in graphing scripts, which can lead to injection of RRDtool syntax and various attacks, including disclosure of directory structure and filenames, file content, denial of service, or writing arbitrary files. The `html/graph.php` script and parameters like `html/includes/graphs/common.inc.php` and `html/includes/graphs/graphs.inc.php` are affected. **Recommendations** For Docker Desktop Enterprise versions prior to 2.1.0.9, update to version 2.1.0.9 or later. For Docker Desktop for Windows Stable versions prior to 2.2.0.4, update to version 2.2.0.4 or later. For Docker Desktop for Windows Edge versions prior to 2.2.2.0, update to version 2.2.2.0 or later. For LibreNMS versions prior to 1.48, update to version 1.48 or later. As a temporary workaround for LibreNMS, consider restricting access to the `html/graph.php` script and validating user input for the `html/includes/graphs/common.inc.php` and `html/includes/graphs/graphs.inc.php` scripts to prevent RRDtool syntax injection.

**Name of the Vulnerable Software and Affected Versions** CORSAIR iCUE versions prior to 3.25.60 **Description** The issue allows local non-privileged users to read and write to arbitrary physical memory locations, and consequently gain NT AUTHORITYSYSTEM privileges, via a function call such as MmMapIoSpace. This is due to a flaw in the CorsairLLAccess64.sys and CorsairLLAccess32.sys drivers. Researchers from Activecyber identified this issue, which could lead to privilege escalation. **Recommendations** For versions prior to 3.25.60, update to version 3.25.60 or later to resolve the issue. As a temporary workaround, consider restricting access to the CorsairLLAccess64.sys and CorsairLLAccess32.sys drivers until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Patriot Viper RGB versions prior to 1.1 **Description** The issue allows local users, including those with low integrity processes, to read and write to arbitrary memory locations. This can lead to the gain of NT AUTHORITYSYSTEM privileges by mapping DevicePhysicalMemory into the calling process via `ZwOpenSection` and `ZwMapViewOfSection` functions. **Recommendations** For Patriot Viper RGB versions prior to 1.1, update to version 1.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Netwrix Auditor versions prior to 9.8 **Description** The issue is related to insecure permissions on certain directories and sub-folders, specifically `%PROGRAMDATA%Netwrix AuditorLogsActiveDirectory`. The `Netwrix.ADA.StorageAuditService` service, which writes to this directory, does not properly impersonate, resulting in the target file having the same permissions as the invoking process. This allows low-privileged users to perform DLL Hijacking/Binary Planting attacks, potentially executing code as `NT AUTHORITYSYSTEM` with the help of Symbolic Links. **Recommendations** For versions prior to 9.8, update to version 9.8 or later to resolve the issue. As a temporary workaround, consider restricting access to the `%PROGRAMDATA%Netwrix AuditorLogsActiveDirectory` directory and its sub-folders to prevent low-privileged users from exploiting the vulnerability. Additionally, restrict the use of the `Netwrix.ADA.StorageAuditService` service until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Artica Pandora FMS versions 7.0 NG before 735 **Description** The issue is related to improper permissions on the C:PandoraFMS directory and its sub-folders, allowing standard users to create new files. When the Apache service httpd.exe receives web requests to the portal, it attempts to execute cmd.exe from the C:PandoraFMS directory as NT AUTHORITYSYSTEM. This allows non-privileged users to escalate privileges to NT AUTHORITYSYSTEM. **Recommendations** For Artica Pandora FMS version 7.0 NG before 735, update to version 735 or later to resolve the issue. As a temporary workaround, consider restricting write access to the C:PandoraFMS directory and its sub-folders to prevent standard users from creating new files. Additionally, restrict the execution of cmd.exe by the Apache service httpd.exe to minimize the risk of privilege escalation.

**Name of the Vulnerable Software and Affected Versions** Zoho ManageEngine Desktop Central versions 10.0.380 Zoho ManageEngine EventLog Analyzer versions 12.0.2 Zoho ManageEngine ServiceDesk Plus versions 10.0.0 Zoho ManageEngine SupportCenter Plus versions 8.1 Zoho ManageEngine O365 Manager Plus versions 4.0 Zoho ManageEngine Mobile Device Manager Plus versions 9.0.0 Zoho ManageEngine Patch Connect Plus versions 9.0.0 Zoho ManageEngine Vulnerability Manager Plus versions 9.0.0 Zoho ManageEngine Patch Manager Plus versions 9.0.0 Zoho ManageEngine OpManager versions 12.3 Zoho ManageEngine NetFlow Analyzer versions 11.0 Zoho ManageEngine OpUtils versions 11.0 Zoho ManageEngine Network Configuration Manager versions 11.0 Zoho ManageEngine FireWall versions 12.0 Zoho ManageEngine Key Manager Plus versions 5.6 Zoho ManageEngine Password Manager Pro versions 9.9 Zoho ManageEngine Analytics Plus versions 1.0 Zoho ManageEngine Browser Security Plus (affected versions not specified) **Description** The issue is related to local privilege escalation due to improper permissions for the %SYSTEMDRIVE%ManageEngine directory and its sub-folders. Services associated with the affected products try to execute binaries such as `sc.exe` from the current directory upon system start, allowing non-privileged users to escalate privileges to NT AUTHORITYSYSTEM. **Recommendations** For Desktop Central 10.0.380, update the permissions for the %SYSTEMDRIVE%ManageEngine directory and its sub-folders to prevent non-privileged users from escalating privileges. For EventLog Analyzer 12.0.2, restrict the execution of binaries such as `sc.exe` from the current directory upon system start. For ServiceDesk Plus 10.0.0, ensure proper permissions are set for the %SYSTEMDRIVE%ManageEngine directory and its sub-folders. For SupportCenter Plus 8.1, consider disabling the execution of binaries from the current directory until a patch is available. For O365 Manager Plus 4.0, Mobile Device Manager Plus 9.0.0, Patch Connect Plus 9.0.0, Vulnerability Manager Plus 9.0.0, Patch Manager Plus 9.0.0, OpManager 12.3, NetFlow Analyzer 11.0, OpUtils 11.0, Network Configuration Manager 11.0, FireWall 12.0, Key Manager Plus 5.6, Password Manager Pro 9.9, Analytics Plus 1.0, and Browser Security Plus, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Viber versions prior to 10.7.0 for Desktop (Windows) **Description** A vulnerability exists due to unsafe search paths used by the application URI, allowing an attacker to execute arbitrary commands on a targeted system. An attacker could exploit this by convincing a targeted user to follow a malicious link, causing the application to load libraries from the directory targeted by the URI link. This could allow the attacker to execute arbitrary commands on the system with the privileges of the targeted user, if the attacker can place a crafted library in a directory that is accessible to the vulnerable system. **Recommendations** For Viber versions prior to 10.7.0 for Desktop (Windows), update to version 10.7.0 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** TeamSpeak 3 Client versions prior to 3.2.5 **Description** The issue allows remote code execution in the Qt framework. **Recommendations** For versions prior to 3.2.5, update to version 3.2.5 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** KioWare Server versions 4.9.6 and older **Description** The issue concerns weak folder permissions in the default installation directory, granting any user full access to the directory and its sub-folders. Additionally, a service called KWSService runs as Localsystem, allowing any user to potentially escalate privileges to NT AUTHORITYSYSTEM by substituting the service's binary with a malicious one. **Recommendations** For KioWare Server versions 4.9.6 and older, consider restricting access to the installation directory and its sub-folders to prevent unauthorized modifications. As a temporary workaround, monitor the KWSService for any suspicious activity and consider disabling it until a patch is available. Restrict access to the service's binary to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Seqrite End Point Security version 7.4 **Description** The issue allows local users to gain privileges by replacing an executable file with a Trojan horse, due to the "Everyone: (F)" permission for %PROGRAMFILES%SeqriteSeqrite. **Recommendations** For Seqrite End Point Security version 7.4, consider restricting access to the %PROGRAMFILES%SeqriteSeqrite directory to prevent local users from replacing executable files. As a temporary workaround, monitor the directory for any unauthorized changes to executable files until a patch is available.