GHSA-vx2x-9cff-fhjw – dsinternals.common

Package

Manager: nuget
Name: dsinternals.common
Vulnerable Version: >=2.21 <4.8

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

DSInternals Credential Roaming Elevation of Privilege Vulnerability ### Impact A vulnerability exists in the `DSInternals.Common.Data.RoamedCredential.Save()` method, which incorrectly parses the `msPKIAccountCredentials` LDAP attribute values. As a consequence, a malicious actor would be able to modify the file system of the computer where an application using this function is executed with administrative privileges. A [similar security issue](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30170) used to be present in the Windows operating system, as DSInternals re-implements the Credential Roaming feature of Windows. ### Exploitability The vulnerability can be exploited under the following circumstances: - An attacker is able to modify the `msPKIAccountCredentials` attribute of a user account in Active Directory. This attribute is used by the Credential Roaming feature of Windows and each AD user can modify their own roamed credentials. AND - A 3rd party application uses the `DSInternals.Common` library to export roamed credentials from Active Directory to a file system. AND - The application has administrative privileges on the local system. The probability of any 3rd-party product using the `DSInternals.Common` library being affected by this vulnerability is extremely low. ### Patches The issue had been fixed in DSInternals 4.8. ### References https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming

Metadata

Created: 2022-12-06T21:13:49Z
Modified: 2022-12-06T21:13:49Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-vx2x-9cff-fhjw/GHSA-vx2x-9cff-fhjw.json
CWE IDs: []
Alternative ID: N/A
Finding: F159
Auto approve: 1