SES Evolution agent VC++ runtime DLL hijacking (CVE-2021-35957)

Advisory ID CVE Number Date discovered Severity Advisory revision
STORM-2021-045 CVE-2021-35957 06/02/2021 medium v1

Vulnerability details

A SES Evolution agent process, EsScriptHost, loads the VCRuntime DLLs from the Windows directory rather than from the agent’s installation folder. An attacker with administrative privileges could potentially replace those DLLs in the Windows directory to inject malicious code into the EsScriptHost process.

Impacted products

ProductsSeverityDetail
Stormshield Endpoint Security medium SES is impacted

Revisions

Version Date Description
v1  07/12/2021 Initial release


Stormshield Endpoint Security

CVSS v3.1 Overall Score: 5.8      

Analysis

Impacted version

An attacker, with administrative privileges, could replace the Visual C++ Runtime DLLs in the Windows directory in order to inject malicious code in a specific privileged process of SES Evolution. All others services of SES Evolution load those DLLs from the protected agent installation directory.
  • SES Evolution 2.0.0 to 2.0.2

Workaround solution

Solution

There is no workaround solution.

The 2.1.0 update fixes this vulnerability.



Attack Vector Attack Complexity Privileges Required User Interaction Scope Confidentiality Impact Integrity Impact Availability impact
Local Low High None Unchanged High High High
CVSS Base score: 6.7 CVSS Vector: (AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
Exploit Code Maturity Remediation Level Report Confidence
Unproven that exploit exists Official fix Confirmed
CVSS Temporal score: 5.8 CVSS Vector: (AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
Confidentiality Requirement Integrity Requirement Availability Requirement
High High High
CVSS Environmental score: 5.8 CVSS Vector: (AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C/CR:H/IR:H/AR:H/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:X/MI:X/MA:X)