CVE-2023-33668

Vulnerability

DigiExam versions up to v14.0.2, an Electron-based proctoring application, fails to verify the integrity of its native modules. Specifically, the dx-sec module, responsible for security features such as virtual machine detection and process whitelisting, is stored in the user-writable path %localappdata%\DigiExam\app-14.0.2\resources\app.asar.unpacked\node_modules\dx-sec\build\Release\dx-sec.node. Without integrity checks, an attacker can replace this module with a patched version [1].

Exploitation

An attacker with local access to the file system can simply copy a modified dx-sec.node file over the original. The user has write permission to that directory, so no privilege escalation is required. The patched module can, for example, make the detect_virtual_machine function return immediately, thus bypassing VM detection [1]. The exploit does not require user interaction beyond setting up the replacement file before the application runs.

Impact

By replacing the native module, an attacker can disable core security features of DigiExam, including virtual machine detection and unauthorized application blocking. This can lead to account takeover and exposure of personally identifiable information (PII) on shared computers, as the surveillance environment can be subverted [1].

Mitigation

DigiExam v14.0.2 and earlier are affected; no fixed version has been disclosed as of the publication date [1]. Users should ensure that computers running DigiExam are not shared with untrusted parties, or consider alternative proctoring solutions that implement proper integrity verification for native modules. The vendor's official website does not mention a patch for this issue at the time of writing [2].