CVE-2021-43000

Vulnerability

A buffer overflow vulnerability exists in the IOCTL handler 0x22001B of the Amzetta zPortal Windows zClient driver, versions up to and including v3.2.8180.148. The flaw occurs when the driver processes specially crafted I/O Request Packets (IRPs) without proper bounds checking, leading to memory corruption. This vulnerability is part of a broader set of issues in Eltima SDK-based USB over Ethernet drivers used by multiple cloud services [1].

Exploitation

An attacker must have local access to the affected system. No additional authentication is required beyond standard user privileges. The attacker sends a maliciously crafted IRP to the driver via the 0x22001B IOCTL code, triggering the buffer overflow. The attack does not require user interaction or special network position, as it is performed locally [1].

Impact

Successful exploitation allows the attacker to execute arbitrary code in kernel mode, resulting in full system compromise. This can be used to disable security products, overwrite system components, corrupt the operating system, or perform other malicious operations with highest privileges. Alternatively, the attacker can cause a denial of service (memory corruption and OS crash) [1].

Mitigation

Amzetta has released security updates to address this vulnerability. Users should update to the latest version of zClient as provided by the vendor. Some updates may be automatically applied, while others require manual action. As of the publication date, no evidence of in-the-wild exploitation has been reported [1].