CVE-2022-24141

The iTopVPNmini.exe component of iTop VPN 3.2 will try to connect to datastate_iTopVPN_Pipe_Server on a loop. An attacker that opened a named pipe with the same name can use it to gain the token of another user by listening for connections and abusing ImpersonateNamedPipeClient().

CVSS v3 5.4 MEDIUM
CVSS v2.0 5.5 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

5.5^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:S/C:P/I:P/A:N

Exploitability : 8.0 / Impact : 4.9

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://iobit.com	Vendor Advisory
http://itop.com	Not Applicable
https://github.com/tomerpeled92/CVE/	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:iobit:itop_vpn:3.2:*:*:*:*:*:*:*

History

No history.

Information

Published : 2022-07-06 13:15

Updated : 2022-07-14 01:50

NVD link : CVE-2022-24141

Mitre link : CVE-2022-24141

CVE.ORG link : CVE-2022-24141

JSON object : View

Products Affected

iobit

itop_vpn

CWE

NVD-CWE-noinfo

{"id": "CVE-2022-24141", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:N", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 4.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 2.8}]}, "published": "2022-07-06T13:15:09.357", "references": [{"url": "http://iobit.com", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "http://itop.com", "tags": ["Not Applicable"], "source": "cve@mitre.org"}, {"url": "https://github.com/tomerpeled92/CVE/", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "The iTopVPNmini.exe component of iTop VPN 3.2 will try to connect to datastate_iTopVPN_Pipe_Server on a loop. An attacker that opened a named pipe with the same name can use it to gain the token of another user by listening for connections and abusing ImpersonateNamedPipeClient()."}, {"lang": "es", "value": "El componente iTopVPNmini.exe de iTop VPN versi\u00f3n 3.2, intentar\u00e1 conectarse a datastate_iTopVPN_Pipe_Server en un bucle. Un atacante que abriera una tuber\u00eda con nombre con el mismo nombre puede usarla para obtener el token de otro usuario escuchando conexiones y abusando de la funci\u00f3n ImpersonateNamedPipeClient()"}], "lastModified": "2022-07-14T01:50:52.880", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:iobit:itop_vpn:3.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D35825EC-63C8-4374-B4F4-FD88193C7895"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}