Cybersecurity researchers on Sunday disclosed several critical vulnerabilities in remote student monitoring software Netop Vision Pro that a malicious attacker could abuse to execute arbitrary code and take over Windows computers.
“These findings allow for elevation of privileges and ultimately remote code execution which could be used by a malicious attacker within the same network to gain full control over students’ computers,” the McAfee Labs Advanced Threat Research team said in an analysis.
The vulnerabilities, tracked as CVE-2021-27192, CVE-2021-27193, CVE-2021-27194, and CVE-2021-27195, were reported to Netop on December 11, 2020, after which the Denmark-based company fixed the issues in an update (version 9.7.2) released on February 25.
“Version 9.7.2 of Vision and Vision Pro is a maintenance release that addresses several vulnerabilities, such as escalating local privileges sending sensitive information in plain text,” the company stated in its release notes.
Netop counts half of the Fortune 100 companies among its customers and connects more than 3 million teachers and students with its software. Netop Vision Pro allows teachers to remotely perform tasks on students’ computers, such as monitoring and managing their screens in real time, restricting access to a list of allowed Web sites, launching applications, and even redirecting students’ attention when they are distracted.
During the course of McAfee’s investigation, several design flaws were uncovered, including:
CVE-2021-27194 – All network traffic between teacher and student is sent unencrypted and in clear text (e.g., Windows credentials and screenshots) without the ability to enable this during setup. In addition, screen captures are sent to the teacher as soon as they connect to a classroom to allow real-time monitoring.
- CVE-2021-27195 – An attacker can monitor unencrypted traffic to impersonate a teacher and execute attack code on student machines by modifying the packet that contains the exact application to be executed, such as injecting additional PowerShell scripts.
- CVE-2021-27192 – A “Technical Support” button in Netop’s “about” menu can be exploited to gain privilege escalation as a “system” user and execute arbitrary commands, restart Netop, and shut down the computer.
- CVE-2021-27193 – A privilege flaw in Netop’s chat plugin could be exploited to read and write arbitrary files in a “working directory” that is used as a drop location for all files sent by the instructor. Worse, this directory location can be changed remotely to overwrite any file on the remote PC, including system executables.
- CVE-2021-27193 is also rated 9.5 out of a maximum of 10 in the CVSS rating system, making it a critical vulnerability.
Needless to say, the consequences of such exploitation could be devastating. They range from the use of ransomware to the installation of keylogging software to the chaining of CVE-2021-27195 and CVE-2021-27193 to keep an eye on the webcams of individual computers running the software, McAfee warned.
While most of the vulnerabilities have been fixed, the fixes put in place by Netop still don’t address the lack of network encryption, which is expected to be implemented in a future update.
“An attacker doesn’t have to compromise the school network; all they need is to find any network where this software is accessible, such as a library, coffee shop or home network,” said researchers Sam Quinn and Douglas McKee. “It doesn’t matter where one of these student’s PCs gets compromised, as a well-designed malware could lay dormant and scan each network the infected PC connects to until it finds other vulnerable instances of Netop Vision Pro to further propagate the infection.”
“Once these machines have been compromised, the remote attacker has full control of the system since they inherit the System privileges. Nothing at this point, could stop an attacker running as ‘system’ from accessing any files, terminating any process, or reaping havoc on the compromised machine,” they added.
The findings come at a time when the US investigative agency Federal Bureau warned last week of an increase in PYSA (aka Mespinoza) ransomware attacks targeting educational institutions in 12 US states and the UK.
We have asked Netop for more details on the security updates and will update this article as soon as we receive a response.