SES Evolution agent VC++ runtime DLL hijacking (CVE-2021-35957)
Vulnerability details
A SES Evolution agent process, EsScriptHost, loads the VCRuntime DLLs from the Windows directory rather than from the agent’s installation folder. An attacker with administrative privileges could potentially replace those DLLs in the Windows directory to inject malicious code into the EsScriptHost process.
Impacted products
Revisions
Version |
Date |
Description |
v1 |
07/12/2021 |
Initial release |
Stormshield Endpoint Security |
CVSS v3.1 Overall Score: 5.8 
|
Analysis
|
Impacted version
|
An attacker, with administrative privileges, could replace the Visual C++ Runtime DLLs in the Windows directory in order to inject malicious code in a specific privileged process of SES Evolution. All others services of SES Evolution load those DLLs from the protected agent installation directory.
|
- SES Evolution 2.0.0 to 2.0.2
|
Workaround solution
|
Solution
|
There is no workaround solution.
|
The 2.1.0 update fixes this vulnerability.
|
Attack Vector |
Attack Complexity |
Privileges Required |
User Interaction |
Scope |
Confidentiality Impact |
Integrity Impact |
Availability impact |
Local |
Low |
High |
None |
Unchanged |
High |
High |
High |
Exploit Code Maturity |
Remediation Level |
Report Confidence |
Unproven that exploit exists |
Official fix |
Confirmed |
Confidentiality Requirement |
Integrity Requirement |
Availability Requirement |
High |
High |
High |