SentinelOne researchers have unearthed a number of privilege escalation vulnerabilities in Eltima SDK, a library used by many cloud desktop and USB sharing services like Amazon Workspaces, NoMachine and Accops to allow users to connect and share local devices over network.
“These vulnerabilities allow attackers to escalate privileges enabling them to disable security products, overwrite system components, corrupt the operating system, or perform malicious operations unimpeded,” the researchers shared.
The vulnerabilities affect both the cloud services and their end users. The good news, though, is that some of the former have already implemented security updates and that there is currently no evidence that the vulnerabilities are actively abused by attackers.
About the vulnerabilities
The 27 CVE-numbered vulnerabilities affect a number of cloud services by providers such as Amazon (AWS), Eltima, Accops, NoMachine, Amzetta, FlexiHub and Donglify, whose virtual desktop, application streaming, and “USB over Ethernet” sharing services have become increasingly popular due to the work-from-home model adopted by companies during the height of the Covid-19 pandemic.
The vulnerabilities are integer and buffer overflow vulnerabilities that could allow local attackers to execute arbitrary code in kernel mode or cause a denial of service.
“Among the obvious abuses of such vulnerabilities are that they could be used to bypass security products. An attacker with access to an organization’s network may also gain access to execute code on unpatched systems and use this vulnerability to gain local elevation of privilege. Attackers can then leverage other techniques to pivot to the broader network, like lateral movement,” the researchers explained.
The list of the affected versions of specific cloud services and client software is available here.
“Vendors have released security updates to address these vulnerabilities. Some of these are automatically applied while others require customer actions,” the researchers noted.
Eltima has released fixed versions of the SDK and its vulnerable Eltima USB Network Gate offering.
AWS, NoMachine, and Amzetta have pushed out fixes, and Accops has updated modules (Accops HyWorks Client for Windows, Accops HyWorks DVM Tools) available from its website, notified users to upgrade to these new versions, and has published a tool that detects vulnerable endpoints.