CVE-2020-15722 in 360 Total Securityinfo

Summary

by MITRE

In version 12.1.0.1004 and below of 360 Total Security,when TPI calls the browser process, there exists a local privilege escalation vulnerability. An attacker who could exploit DLL hijacking could execute arbitrary code on the Local system.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 07/22/2020

The vulnerability identified as CVE-2020-15722 affects 360 Total Security version 12.1.0.1004 and earlier, representing a critical local privilege escalation flaw that leverages DLL hijacking techniques. This vulnerability specifically manifests when the Threat Prevention Interface (TPI) component invokes browser processes, creating an exploitable condition that allows attackers to execute arbitrary code with elevated privileges on the local system. The flaw resides in the improper handling of dynamic link library loading sequences within the security software's architecture, where the application fails to properly validate or restrict the paths from which required libraries are loaded.

The technical exploitation of this vulnerability follows a classic DLL hijacking attack pattern where an attacker places a malicious DLL file in a location that the vulnerable application will search before finding the legitimate library. In this case, the TPI component's browser process invocation creates a predictable search path that can be manipulated by an attacker with local access. The vulnerability is categorized under CWE-426 as Untrusted Search Path, which specifically addresses issues where applications search for libraries in insecure locations or fail to properly validate library paths. When the malicious DLL is loaded, it executes with the privileges of the elevated process, typically SYSTEM level access, allowing complete compromise of the affected system.

The operational impact of this vulnerability extends beyond simple code execution, as it provides attackers with persistent access to the compromised system with elevated privileges. This creates a significant risk for enterprise environments where 360 Total Security is deployed, as the vulnerability can be exploited by local attackers who gain initial access through other means such as phishing or credential theft. The attack vector requires local system access but does not need network connectivity, making it particularly dangerous in environments where local privilege escalation is not properly mitigated. The vulnerability aligns with ATT&CK technique T1068 which describes the use of local privilege escalation techniques, specifically targeting processes that run with elevated privileges.

Mitigation strategies for CVE-2020-15722 should focus on immediate patching of the 360 Total Security application to version 12.1.0.1005 or later, which contains the necessary fixes for the DLL loading vulnerability. Organizations should also implement additional security controls such as restricting write permissions to system directories and monitoring for suspicious DLL loading activities through process monitoring tools. The Windows Security Control (WSC) and Application Control features should be configured to prevent loading of unsigned or untrusted DLLs, particularly in critical system paths. Network administrators should consider implementing application whitelisting policies that restrict which processes can be executed with elevated privileges, and system administrators should conduct thorough vulnerability assessments to identify any other applications that might be susceptible to similar DLL hijacking attacks. Additionally, regular security awareness training for users can help prevent initial compromise through social engineering attacks that might lead to local access for exploitation.

Reservation

07/14/2020

Moderation

accepted

CPE

ready

EPSS

0.00432

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!