CVE-2023-28140 - OpenCVE

An Executable Hijacking condition exists in the Qualys Cloud Agent for Windows platform in versions before 4.5.3.1. Attackers may load a malicious copy of a Dependency Link Library (DLL) via a local attack vector instead of the DLL that the application was expecting, when processes are running with escalated privileges. This vulnerability is bounded only to the time of uninstallation and can only be exploited locally. At the time of this disclosure, versions before 4.0 are classified as End of Life.

Attack Vector Local

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Qualys	Cloud Agent

Configuration 1 [-]

cpe:2.3:a:qualys:cloud_agent:*:*:*:*:*:windows:*:*

References

Link	Resource
https://www.qualys.com/security-advisories/	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: Qualys

Published: 2023-04-18T15:47:37.719Z

Updated: 2023-04-18T15:47:37.719Z

Reserved: 2023-03-10T21:23:28.796Z

Link: CVE-2023-28140

JSON object: View

NVD Information

Status : Analyzed

Published: 2023-04-18T16:15:09.003

Modified: 2023-04-28T13:52:12.577

Link: CVE-2023-28140

JSON object: View

Redhat Information

No data.

CWE

CWE-427

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-28140", "assignerOrgId": "8a309ac4-d8c7-4735-9c1d-ca39c5dfbcda", "state": "PUBLISHED", "assignerShortName": "Qualys", "dateReserved": "2023-03-10T21:23:28.796Z", "datePublished": "2023-04-18T15:47:37.719Z", "dateUpdated": "2023-04-18T15:47:37.719Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "platforms": ["Windows"], "product": "Cloud Agent", "vendor": "Qualys", "versions": [{"lessThan": "4.5.3.1", "status": "affected", "version": "3.1.3.34", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "reporter", "user": "00000000-0000-4000-9000-000000000000", "value": "Lockheed Martin Red Team"}], "datePublic": "2023-04-18T16:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p></p><p>An Executable Hijacking condition exists in the\nQualys Cloud Agent for Windows platform in versions before 4.5.3.1. Attackers\nmay load a malicious copy of a Dependency Link Library (DLL) via a local\nattack vector instead of the DLL that the application was expecting, when\nprocesses are running with escalated privileges. This vulnerability\nis bounded only to the time of uninstallation and can only be exploited\nlocally.<br>\n<br>\nAt the time of this disclosure, versions before 4.0 are classified as End of\nLife.</p>\n\n\n\n\n\n<p></p>\n\n\n\n\n\n<br><span style=\"background-color: rgb(255, 255, 255);\"><div></div></span>"}], "value": "\nAn Executable Hijacking condition exists in the\nQualys Cloud Agent for Windows platform in versions before 4.5.3.1. Attackers\nmay load a malicious copy of a Dependency Link Library (DLL) via a local\nattack vector instead of the DLL that the application was expecting, when\nprocesses are running with escalated privileges. This vulnerability\nis bounded only to the time of uninstallation and can only be exploited\nlocally.\n\n\n\nAt the time of this disclosure, versions before 4.0 are classified as End of\nLife.\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n"}], "exploits": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Proof of Concept"}], "value": "Proof of Concept"}], "impacts": [{"capecId": "CAPEC-471", "descriptions": [{"lang": "en", "value": "CAPEC-471 Search Order Hijacking"}]}, {"capecId": "CAPEC-234", "descriptions": [{"lang": "en", "value": "CAPEC-234 Hijacking a privileged process"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-427", "description": "CWE-427 Uncontrolled Search Path Element", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8a309ac4-d8c7-4735-9c1d-ca39c5dfbcda", "shortName": "Qualys", "dateUpdated": "2023-04-18T15:47:37.719Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://www.qualys.com/security-advisories/"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Upgrade to v4.5.3.1 of Qualys Cloud Agent for Windows."}], "value": "Upgrade to v4.5.3.1 of Qualys Cloud Agent for Windows."}], "source": {"discovery": "EXTERNAL"}, "title": "Executable Hijacking", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:qualys:cloud_agent:*:*:*:*:*:windows:*:*", "matchCriteriaId": "A3C649A1-257A-441A-A11B-33208739DABD", "versionEndExcluding": "4.5.3.1", "versionStartIncluding": "3.1.3.34", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "\nAn Executable Hijacking condition exists in the\nQualys Cloud Agent for Windows platform in versions before 4.5.3.1. Attackers\nmay load a malicious copy of a Dependency Link Library (DLL) via a local\nattack vector instead of the DLL that the application was expecting, when\nprocesses are running with escalated privileges. This vulnerability\nis bounded only to the time of uninstallation and can only be exploited\nlocally.\n\n\n\nAt the time of this disclosure, versions before 4.0 are classified as End of\nLife.\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n"}], "id": "CVE-2023-28140", "lastModified": "2023-04-28T13:52:12.577", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.8, "impactScore": 5.9, "source": "bugreport@qualys.com", "type": "Secondary"}]}, "published": "2023-04-18T16:15:09.003", "references": [{"source": "bugreport@qualys.com", "tags": ["Vendor Advisory"], "url": "https://www.qualys.com/security-advisories/"}], "sourceIdentifier": "bugreport@qualys.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-427"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-427"}], "source": "bugreport@qualys.com", "type": "Secondary"}]}