Vulnerability Notice - TeraByte Image for Windows

See all Vulnerability notices

CVE NUMBER

Requested.

CVSS SCORE

7.3 - CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

SUMMARY

Our reverse engineering team discovered a kernel handle leak vulnerability in the latest version of Image for Windows, from TeraByte Unlimited. The vulnerability can be abused for, for example, privilege escalation on a local system.

Impacted Versions

The vulnerable component is TBOFLHelper64.sys, a kernel driver that the Image for Windows software can talk to. The latest version of driver is 1.0.0.0. The latest version of the installer is 3.64.0.0, published on the 28th of January 2024 (source). The MD5 hashes are included below.

• MD5 (installer-latest-trial.exe) = 162be202a3549a190a735809f7e4aab2
• MD5 (tboflhelper.sys) = f3278c2a21e999d259c8aa3af7c5cb85
• MD5 (tboflhelper64.sys) = 6d810fbf251792ec3bfb5aeef2462914

TeraByte Unlimited notified Northwave that installer version 4.0.0.0 includes a fix for the vulnerability.

DETAILS

The vulnerable component is TBOFLHelper64.sys. There are two kernel handle leaks present in the driver, which can be triggered from a low-privileged user context. This is due to the driver device being accessible by everyone on the local system. The kernel handle leak can be abused to obtain privilege escalation by abusing existing handles in e.g. the System (PID 4) process.

TIMELINE

• 04-03-2024 - Initial notice to and request for security contact.
• 04-03-2024 - First reply from TeraByte security team requesting more information.
• 05-03-2024 - Sent full vulnerability details to TeraByte security team.
• 30-03-2024 - TeraByte security team notified Northwave of patched versions.
• 04-06-2024 - Planned public release of our blog post.

REFERENCE

Image for Windows software: https://www.terabyteunlimited.com/image-for-windows/

CREDIT

Discovered by Tijme Gommers, Jan-Jaap Korpershoek and Alex Oudenaarden of Northwave Cyber Security.

Disclaimer