CVE-2022-24140

Severity Score

6.6

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

IOBit Advanced System Care 15, iTop Screen Recorder 2.1, iTop VPN 3.2, Driver Booster 9, and iTop Screenshot sends HTTP requests in their update procedure in order to download a config file. After downloading the config file, the products will parse the HTTP location of the update from the file and will try to install the update automatically with ADMIN privileges. An attacker Intercepting this communication can supply the product a fake config file with malicious locations for the updates thus gaining a remote code execution on an endpoint.

IOBit Advanced System Care versión 15, iTop Screen Recorder versión 2.1, iTop VPN versión 3.2, Driver Booster versión 9 e iTop Screenshot envían peticiones HTTP en su procedimiento de actualización para descargar un archivo de configuración. Después de descargar el archivo de configuración, los productos analizarán la ubicación HTTP de la actualización desde el archivo e intentarán instalar la actualización automáticamente con privilegios de administrador. Un atacante que intercepte esta comunicación puede suministrar al producto un archivo de configuración falso con ubicaciones maliciosas para las actualizaciones, obteniendo así una ejecución de código remota en un endpoint

*Credits: N/A

Attack Vector

Network

Attack Complexity

High

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Medium

Authentication

Single

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-01-31 CVE Reserved
2022-07-06 CVE Published
2024-05-22 EPSS Updated
2024-08-03 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-494: Download of Code Without Integrity Check

CAPEC

References (3)

URL	Tag	Source
http://advanced.com	Not Applicable
https://github.com/tomerpeled92/CVE	Third Party Advisory

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
http://iobit.com	2022-07-14

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Iobit Search vendor "Iobit"		Advanced System Care Search vendor "Iobit" for product "Advanced System Care"				15 Search vendor "Iobit" for product "Advanced System Care" and version "15"		free		Affected
Iobit Search vendor "Iobit"		Advanced System Care Search vendor "Iobit" for product "Advanced System Care"				15 Search vendor "Iobit" for product "Advanced System Care" and version "15"		pro		Affected
Iobit Search vendor "Iobit"		Driver Booster Search vendor "Iobit" for product "Driver Booster"				9 Search vendor "Iobit" for product "Driver Booster" and version "9"		-		Affected
Iobit Search vendor "Iobit"		Itop Screen Recorder Search vendor "Iobit" for product "Itop Screen Recorder"				2.1 Search vendor "Iobit" for product "Itop Screen Recorder" and version "2.1"		-		Affected
Iobit Search vendor "Iobit"		Itop Screenshot Search vendor "Iobit" for product "Itop Screenshot"				-		-		Affected
Iobit Search vendor "Iobit"		Itop Vpn Search vendor "Iobit" for product "Itop Vpn"				3.2 Search vendor "Iobit" for product "Itop Vpn" and version "3.2"		-		Affected