Guest Adnan Posted June 20, 2023 Share Posted June 20, 2023 Hi , one of the endpoints in our network , has been exploited by CVE-20211079 while eset components were there and latest version is using by latest update . the problem is that even EDR components are installed on the machine and no notification received, can anyone assist. Link to comment
Administrators Marcos 5,085 Posted June 20, 2023 Administrators Share Posted June 20, 2023 At https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-1079 there's only a quite generic description of the CVE: NVIDIA GeForce Experience, all versions prior to 3.22, contains a vulnerability in GameStream plugins where log files are created using NT/System level permissions, which may lead to code execution, denial of service, or local privilege escalation. The attacker does not have control over the consequence of a modification nor would they be able to leak information as a direct result of the overwrite. It is not clear if all plugins are affected and if there's a PoC available. To me it looks as though a Vulnerability & Patch management product should take care of it. Link to comment
itman 1,667 Posted June 20, 2023 Share Posted June 20, 2023 2 hours ago, Marcos said: if there's a PoC available. https://voidsec.com/nvidia-geforce-experience-command-execution/ Link to comment
itman 1,667 Posted June 20, 2023 Share Posted June 20, 2023 BTW - all nVidia vulnerabilities are listed here: https://www.nvidia.com/en-us/security/ . I would pay attention to the GPU Display Driver - March, 2023 vulnerability since this one for some reason was overlooked by all the web security sources I use resulting in zip publicity about it. Link to comment
itman 1,667 Posted June 20, 2023 Share Posted June 20, 2023 (edited) Also note that nVidia released another NVIDIA GeForce Experience vulnerability notice w/patch update in January, 2023 assigned as CVE‑2022‑42291, CVE‑2022‑31611, and CVE‑2022‑42292: https://nvidia.custhelp.com/app/answers/detail/a_id/5384 . This appears to have functional similarities to CVE-2021-1079. As such, it may have not been fully patched with the prior update issued for this. Edited June 20, 2023 by itman Link to comment
Guest Adnan Posted June 21, 2023 Share Posted June 21, 2023 thanks for replies, the question is that , considering this fact that it is related to Patch management service , when a system is being exploited , does EDR technology should be able to log , detect and response or not ? Link to comment
itman 1,667 Posted June 21, 2023 Share Posted June 21, 2023 6 hours ago, Guest Adnan said: considering this fact that it is related to Patch management service Here's a reference to Eset Vulnerability & Patch Management feature: https://www.eset.com/int/business/solutions/vulnerability-patch-management/ . As I interpret the feature, its purpose is to detect if a known vulnerability exists; inform of this fact; and auto apply if possible, any update patches available. I see nothing in this feature that would prevent exploiting of a known unpatched vulnerability. It appears to me that in regards to this CVE-2021-1079 exploit, it "slipped though" Eset Endpoint and EDR detection. Most likely due to the fact that Eset wasn't aware that a POC existed for the vulnerability which would have been used as basis for behavior detection of exploit activities. Link to comment
Recommended Posts