Vulnerabilities discovered by Marcin ‘Icewall’ Noga of Cisco Talos.
Talos are releasing advisories for vulnerabilities in the Dell Precision Optimizer application service software, Invincea-X and Invincea Dell Protected Workspace. These packages are pre-installed on certain Dell systems. Vulnerabilities present in these applications could allow attackers to disable security mechanisms, escalate privileges and execute arbitrary code within the context of the application user.
Privilege Escalation Vulnerability TALOS-2016-0256 (CVE-2016-9038)
This vulnerability is a double fetch in the SboxDrv.sys driver. The vulnerability is triggered by sending crafted data to the \Device\SandboxDriverApi device driver which is read/write accessible to everyone. A successful exploitation results in an arbitrary value written to kernel memory space, which can lead to local privilege escalation.
Known vulnerable: Invincea-X, Dell Protected Workspace 6.1.3-24058
More details can be found in the vulnerability report: TALOS-2016-0256.
Protection Bypass Vulnerability TALOS-2016-0246 (CVE-2016-8732)
Invincea Dell Protected Workspace is a security solution offered by Dell that seeks to provide enhanced protection for endpoints. Multiple security flaws exist within one of the driver components, ‘InvProtectDrv.sys’ that is included in version 5.1.1-22303 of this software. Due to weak restrictions on the driver communications channel, as well as insufficient validation, an attacker controlled application that is executed on an affected system could leverage this driver to effectively disable some of the protection mechanisms provided by the software.
Known vulnerable: Invincea, Dell Protected Workspace 5.1.1-22303
This vulnerability is fixed in the 6.3.0 release of the software.
More details can be found in the vulnerability report: TALOS-2016-2046.
Protection Bypass Vulnerability TALOS-2016-0247 (CVE-2017-2802)
During the start of ‘Dell PPO Service’, supplied by Dell Precision Optimizer application, the program “c:\Program Files\Dell\PPO\poaService.exe” loads the dll, “c:\Program Files\Dell\PPO\ati.dll”. This in turn attempts to load “atiadlxx.dll”, which is not present by default in the application directory. The program searches for an appropriately named dll in the directories specified by the PATH environment variable. If it finds a dll with the same name, it will load the dll into poaService.exe without checking the signature of the dll. This can lead to execution of arbitrary code if an attacker supplies a malicious dll of the correct name.
Dell has released an update to resolve this issue. All versions from v4.0 onwards are not vulnerable, for more information see: www.dell.com/optimizer.
Known vulnerable: Dell Precision Tower 5810 with nvidia graphic cards, PPO Policy Processing Engine (220.127.116.11), ati.dll (PPR Monitoring Plugin) (18.104.22.168).
More details can be found in the vulnerability report: TALOS-2016-2047.
Given that the Invincea Dell Protected Workspace is an application that is commonly deployed to secure workstations within high security environments, it is recommended that organizations using affected versions of this solution update to the latest version as quickly as possible to ensure that the protections provided by this software cannot be bypassed by an attacker. Dell Protected Workspace is based on Invincea's software. Dell is currently working on providing an update to incorporate Invincea's fix. Organisations need to carefully consider the risks and benefits of software bundled with devices. Potentially, any software may contain exploitable vulnerabilities. Bundled software can provide usefully functionality, but if it is unused, allowing it to persist on devices exposes organisations to vulnerabilities without providing any benefits in return. As with any unused software, removing the software removes associated vulnerabilities and removes an additional package from patching schedules.
The following Snort Rules detect attempts to exploit these vulnerabilities. Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For all current rule information, please refer to your FireSIGHT Management Center or Snort.org.
Snort Rules: 41306 - 41309, 41312 - 41313