Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS12eDJ4LTljZmYtZmhqd84AAwLo
DSInternals Credential Roaming Elevation of Privilege Vulnerability
Impact
A vulnerability exists in the DSInternals.Common.Data.RoamedCredential.Save() method, which incorrectly parses the msPKIAccountCredentials LDAP attribute values. As a consequence, a malicious actor would be able to modify the file system of the computer where an application using this function is executed with administrative privileges.
A similar security issue used to be present in the Windows operating system, as DSInternals re-implements the Credential Roaming feature of Windows.
Exploitability
The vulnerability can be exploited under the following circumstances:
- An attacker is able to modify the
msPKIAccountCredentialsattribute of a user account in Active Directory. This attribute is used by the Credential Roaming feature of Windows and each AD user can modify their own roamed credentials. AND - A 3rd party application uses the
DSInternals.Commonlibrary to export roamed credentials from Active Directory to a file system. AND - The application has administrative privileges on the local system.
The probability of any 3rd-party product using the DSInternals.Common library being affected by this vulnerability is extremely low.
Patches
The issue had been fixed in DSInternals 4.8.
References
https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming
Permalink: https://github.com/advisories/GHSA-vx2x-9cff-fhjwJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS12eDJ4LTljZmYtZmhqd84AAwLo
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: almost 2 years ago
CVSS Score: 6.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Identifiers: GHSA-vx2x-9cff-fhjw
References:
- https://github.com/MichaelGrafnetter/DSInternals/security/advisories/GHSA-vx2x-9cff-fhjw
- https://nvd.nist.gov/vuln/detail/CVE-2022-30170
- https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming
- https://github.com/advisories/GHSA-vx2x-9cff-fhjw
Blast Radius: 1.0
Affected Packages
nuget:DSInternals.Common
Dependent packages: 3Dependent repositories: 0
Downloads: 114,001 total
Affected Version Ranges: >= 2.21, < 4.8
Fixed in: 4.8
All affected versions: 2.21.0, 2.21.2, 3.0.0, 3.1.0, 3.2.0, 3.6.0, 4.0.0, 4.1.0, 4.2.0, 4.3.0, 4.4.0, 4.5.0, 4.7.0
All unaffected versions: 2.13.0, 2.14.0, 2.15.0, 2.16.0, 2.17.0, 2.18.0, 2.19.0, 2.20.0, 4.8.0, 4.11.0, 4.12.0, 4.13.0, 4.14.0