CVE Vulnerability

CVE-2022-47577

** DISPUTED ** An issue was discovered in the endpoint protection agent in Zoho ManageEngine Device Control Plus 10.1.2228.15. Despite configuring complete restrictions on USB pendrives, USB HDD devices, memory cards, USB connections to mobile devices, etc., it is still possible to bypass the USB restrictions by making use of a virtual machine (VM). This allows a file to be exchanged outside the laptop/system. VMs can be created by any user (even without admin rights). The data exfiltration can occur without any record in the audit trail of Windows events on the host machine. NOTE: the vendor's position is "it's not a vulnerability in our product."

7.8 /10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://medium.com/nestedif/vulnerability-disclosure-business-logic-unauthorized-data-exfiltration-bypassing-dlp-zoho-cc51465ba84a Exploit Third Party Advisory
https://www.manageengine.com/device-control/how-to/device-control.html Vendor Advisory
Configurations

Configuration 1

cpe:2.3:a:zohocorp:manageengine_device_control_plus:10.1.2228.15:*:*:*:*:*:*:*
Information

Published : 2022-12-20 04:15

Updated : 2022-12-29 06:45

NVD link : CVE-2022-47577

Mitre link : CVE-2022-47577

Products Affected

Manageengine Device Control Plus

Zohocorp

CWE
NVD-CWE-noinfo