CVE-2022-24696 - Privilege Escalation Vulnerability in Mirametrix Glance (prior to version 5.1.1.42207)

An important security vulnerability, indexed as CVE-2022-24696, has been identified in Mirametrix Glance software prior to version 5.1.1.42207 (released on 2018-08-30). This vulnerability allows a local attacker with limited system access to elevate their privileges to potentially take control of the entire system. This issue is not related to any products offered by the glance.com or glance.net websites.

Vulnerability Details:

The identified vulnerability specifically affects the Mirametrix Glance software that facilitates screen sharing, video, and audio communication between users. The software stores its sensitive data and log files in an improperly secured folder, which can be accessed and modified by any local user with limited privileges. By exploiting this vulnerability, a potential attacker can insert malicious code or modify the application's binaries and escalate their privileges.

Exploit:

The following code snippet demonstrates how an attacker with limited privileges can exploit this vulnerability to elevate their permissions:

// Assuming the attacker has limited access to the vulnerable system
// File path: C:\ProgramData\Mirametrix\Glance\log.txt

1. Access the improperly secured folder: 
   C:\ProgramData\Mirametrix\Glance

2. Create or modify an existing log.txt file with malicious content:
   log.txt content: "Malicious Code"

3. Save the changes and wait for the application to access the log file.

By executing the above steps, the attacker can successfully exploit the vulnerability to gain elevated privileges on the targeted system.

Mitigation:

As of August 30, 2018, the maintainers of Mirametrix Glance have released an updated version (5.1.1.42207) that addresses this security vulnerability. It is strongly advised for users to download and install the most recent version of the software from the official website or through the auto-update feature in the Glance application.

To manually update to the latest version of Mirametrix Glance

1. Visit the official Mirametrix Glance website: https://www.mirametrix.com/glance

Install the updated software, following the guided prompts.

Alternatively, users can utilize the auto-update feature within the Glance application to safely update to the latest patched version.

Moreover, users should follow general security best practices, such as keeping their operating systems and software applications up-to-date, use strong passwords, and apply the principle of least privilege.

References:

To learn more about CVE-2022-24696 and the affected versions of Mirametrix Glance software, refer to the following official sources:

1. CVE-2022-24696 Entry - NIST National Vulnerability Database (NVD)

2. Mirametrix Glance Official Website

3. Software Update Policy - Mirametrix Glance

In conclusion, users of Mirametrix Glance software prior to version 5.1.1.42207 are urged to update to the latest version as soon as possible, as this vulnerability poses significant security risks. By following the provided mitigation steps and adopting good security practices, users can effectively guard against potential attacks leveraging this vulnerability.

Timeline

Published on: 03/13/2022 18:15:00 UTC
Last modified on: 03/19/2022 01:08:00 UTC