{"vuid":"VU#794095","idnumber":"794095","name":"Telerik Analytics Monitor Library allows DLL hijacking","keywords":["dll hijack","CWE-114"],"overview":"Telerik Analytics Monitor Library is a third-party application analytics service that collects detailed application metrics for vendors. Some versions of the Telerik library allow DLL hijacking, allowing an attacker to load malicious code in the context of the Telerik-based application.","clean_desc":"CWE-114: Process Control Telerik Analytics Monitor Library is supplied as a third-party DLL to be integrated into other software. The library is statically linked with its own build of OpenSSL for supporting HTTPS communication. The vulnerability was introduced in Telerik Analytics Monitor Library version 3.2.96 from August 3, 2014. In version 3.2.96, the OpenSSL library was built with hardware support, allowing the Telerik Analytics Monitor Library to attempt to load a set of well-known cryptography DLLs at runtime. On an affected machine, the Telerik Analytics Monitor Library would try and load four such DLLs (csunsapi.dll, swift.dll, nfhwcrhk.dll, and surewarehook.dll). These four DLLs are not distributed by Telerik. The affected Telerik Analytics Monitor Library DLLs are named EQATEC.Analytics.Monitor.Win32_vc100.dll (for 32-bit systems) and EQATEC.Analytics.Monitor.Win32_vc100-x64.dll (for 64-bit systems), but report file version 1.0.0.1 instead of the correct 3.2.x.","impact":"An attacker could exploit this situation by providing malicious DLLs, allowing the attacker to load malicious code in the context of the Telerik-based application. The Telerik Analytics Monitor Library has been used in Industrial Control Systems (ICS), which may allow significant access to the ICS if the vulnerability is exploited.","resolution":"Apply an update This behavior was changed in Telerik Analytics Monitor Library version 3.2.125. In version 3.2.125 and later, OpenSSL is built without hardware support and will not attempt to load any third-party DLLs at runtime. However, Telerik recommends affected users update to version 3.2.129 which not only includes this security fix, but also a fix for a regression introduced after 3.2.125.","workarounds":"","sysaffected":"The Telerik Analytics Monitor Library is included with seve","thanks":"ICS-CERT \ncredits Ivan Sanchez from Nullcode Team who identified a process control vulnerability that led to discovery of this issue.","author":"This document was written by Garret Wassermann.","public":["http://www.telerik.com/support/whats-new/analytics/release-history/analytics-monitor-library-3.2.125","http://www.telerik.com/support/whats-new/analytics/release-history/analytics-monitor-library-v3.2.129"],"cveids":["CVE-2015-0978"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2015-02-09T17:37:14Z","publicdate":"2015-03-10T00:00:00Z","datefirstpublished":"2015-03-10T22:02:57Z","dateupdated":"2015-03-13T17:44:49Z","revision":38,"vrda_d1_directreport":"1","vrda_d1_population":"2","vrda_d1_impact":"2","cam_widelyknown":"0","cam_exploitation":"0","cam_internetinfrastructure":"0","cam_population":"0","cam_impact":"0","cam_easeofexploitation":"0","cam_attackeraccessrequired":"0","cam_scorecurrent":"0","cam_scorecurrentwidelyknown":"0","cam_scorecurrentwidelyknownexploited":"0","ipprotocol":"","cvss_accessvector":"L","cvss_accesscomplexity":"H","cvss_authentication":null,"cvss_confidentialityimpact":"C","cvss_integrityimpact":"C","cvss_availabilityimpact":"C","cvss_exploitablity":null,"cvss_remediationlevel":"OF","cvss_reportconfidence":"C","cvss_collateraldamagepotential":"ND","cvss_targetdistribution":"L","cvss_securityrequirementscr":"ND","cvss_securityrequirementsir":"ND","cvss_securityrequirementsar":"ND","cvss_basescore":"6.2","cvss_basevector":"AV:L/AC:H/Au:N/C:C/I:C/A:C","cvss_temporalscore":"4.9","cvss_environmentalscore":"1.215149802048","cvss_environmentalvector":"CDP:ND/TD:L/CR:ND/IR:ND/AR:ND","metric":0.0,"vulnote":null}