CVE-2021-42682

Vulnerability

An integer overflow vulnerability exists in Accops HyWorks DVM Tools prior to version 3.3.1.105. The flaw is located in the IOCTL handler for 0x22001B, which processes specially crafted I/O request packets (IRPs). The affected driver is derived from the Eltima SDK, which is also used by other cloud desktop services [1]. The vulnerability exists in the Windows kernel-mode driver component of the DVM Tools [1].

Exploitation

An attacker must have local access to the system. No special privileges are required beyond the ability to send IOCTL requests to the driver. By sending a crafted I/O request packet (IRP) to the vulnerable IOCTL 0x22001B, the integer overflow can be triggered [1]. The exploit does not require user interaction beyond the attacker executing a malicious program that sends the specially crafted IRP.

Impact

Successful exploitation allows a local attacker to execute arbitrary code in kernel mode, leading to full system compromise. The attacker can also cause a denial of service (DoS) by corrupting kernel memory and crashing the operating system [1]. Since kernel mode is the highest privilege level in Windows, an attacker can disable security products, overwrite system components, or perform any malicious operation unimpeded [1].

Mitigation

The vulnerability is fixed in Accops HyWorks DVM Tools version 3.3.1.105. Vendors have released security updates to address these vulnerabilities, and some are automatically applied while others require customer actions [1]. Users should update to the latest version of HyWorks DVM Tools. There is no known workaround other than applying the patch. SentinelLabs reports no evidence of in-the-wild exploitation at the time of disclosure [1].