← Advisories

Tosibox Key Service 3.3.0 Local Privilege Escalation

Medium

Advisory ID

ZSL-2024-5812

Release Date

23 February 2024

Vendor

Tosibox Oy - https://www.tosibox.com

Affected Version

<=3.3.0

CVE

CVE-2024-58315

Tested On

Windows 10 Home 64 bit (build 9200)

Summary

TOSIBOX® SoftKey is a software that enables a secure connection between your computer and one or more TOSIBOX® Nodes, giving you full visibility and control over the network devices connected to the Node.

Description

The application suffers from an unquoted search path issue impacting the service 'Tosibox Key Service' for Windows deployed as part of Tosibox software application. This could potentially allow an authorized but non-privileged local user to execute arbitrary code with elevated privileges on the system. A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

Proof of Concept

tosibox_eop.txtTXT

Disclosure Timeline

30.01.2024Vulnerability discovered.

31.01.2024Vendor contacted.

31.01.2024Vendor responds asking for more details.

31.01.2024Sent details to the vendor.

31.01.2024Vendor confirms receipt of the details.

01.02.2024Vendor starts investigating the issue.

08.02.2024Vendor confirms the vulnerability as High, working on a fix.

10.02.2024Replied to the vendor.

21.02.2024Vendor responds with release plan.