Overview
Telerik Analytics Monitor Library is a third-party application analytics service that collects detailed application metrics for vendors. Some versions of the Telerik library allow DLL hijacking, allowing an attacker to load malicious code in the context of the Telerik-based application.
Description
CWE-114: Process Control Telerik Analytics Monitor Library is supplied as a third-party DLL to be integrated into other software. The library is statically linked with its own build of OpenSSL for supporting HTTPS communication. |
Impact
An attacker could exploit this situation by providing malicious DLLs, allowing the attacker to load malicious code in the context of the Telerik-based application. The Telerik Analytics Monitor Library has been used in Industrial Control Systems (ICS), which may allow significant access to the ICS if the vulnerability is exploited. |
Solution
Apply an update |
Vendor Information
The Telerik Analytics Monitor Library is included with several industrial control systems (ICS). We will list known ICS vendors affected below, along with Telerik. |
CVSS Metrics
Group | Score | Vector |
---|---|---|
Base | 6.2 | AV:L/AC:H/Au:N/C:C/I:C/A:C |
Temporal | 4.9 | E:POC/RL:OF/RC:C |
Environmental | 1.2 | CDP:ND/TD:L/CR:ND/IR:ND/AR:ND |
References
Acknowledgements
ICS-CERT credits Ivan Sanchez from Nullcode Team who identified a process control vulnerability that led to discovery of this issue.
This document was written by Garret Wassermann.
Other Information
CVE IDs: | CVE-2015-0978 |
Date Public: | 2015-03-10 |
Date First Published: | 2015-03-10 |
Date Last Updated: | 2015-03-13 17:44 UTC |
Document Revision: | 38 |