Vulnerability Disclosure -Business logic: Unauthorised Data Exfiltration Bypassing DLP @ Zoho Device Control Plus
--
Status: Open (As on 17-Dec-2022)
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N = 7.1 ( High Severity)
CVE-2022-47577
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-47577
Impacted Component: Device Control Plus (Desktop App)
Assumption: Enterprise wants to block USB access (to prevent employees steal sensitive documents or prevent accidental ingestion of malwares) and has implemented complete restriction of removal USB media + Audit trail to capture any violations.
Vulnerability Description: It was observed that despite configuring complete restriction for any USB pendrive/USB HDD/Memory Cards/Mobile etc., however, it becomes possible to bypass restriction to USB via making use of VM and file can be exchanged outside the laptop/system. VMs can be made by any employee (even without admin) and it is very difficult for IT team to block, which makes data exfiltration over USB very easy.
Impact:
Loss of data confidentiality/Integrity (Sensitive info. can be stolen, arbitrary code can be executed). Defying solve concept of Data loss prevention, while attempting USB restriction.
Exploitability Rational:
User (attacker) can have any admin/non-admin privilege. No logs would be created since base OS will not have control within the VM, which makes forensics results inaccurate. (Verified on Windows10, Applicable to all *nix & Win machines)
Steps to Reproduce:
Method1:
- Install any VM in same host where USB restriction is implemented.
- Attach USB to that VM
- Share drive of base host machine to the VM
- Copy bidirectional files to/from VM via the USB
Method2:
- Long press Shift key while OS boots or from elevated admin cmd.exe run: C:\Windows\System32\bcdedit.exe /set safeboot network
- Reboot will boot Windows in safemode where the USB restriction agent will not start.
- Login as admin/non-admin user and connect USB drive
- Copy bidirectional files to/from VM via the USB
Take Aways:
We should be always ready for various tricks due to client side security controls. (there is no silver bullet to solve such issues)
To make things a little difficult, keep track of data bus at very low level to see file transfer to/from USB. OR develop VM provisioning scheme.








