An issue was discovered in DriveLock 24.1 through 24.1.*, 24.2 through 24.2.*, and 25.1 through 25.1.*. An incomplete configuration (agent authentication) in DriveLock tenant allows attackers to impersonate any DriveLock agent on the network against the DES (DriveLock Enterprise Service).
In DriveLock versions 24.1.*, 24.2.* and 25.1.*, the configuration of agent authentication within a DriveLock tenant is incomplete (CWE-287 — improper authentication). This results in the lack of effective verification of the identity of agents communicating with the DriveLock Enterprise Service (DES). A network attacker, without possessing any credentials, can send requests to DES with spoofed identity of any legitimate DriveLock agent.
An attacker can fully impersonate an authorized DriveLock agent and consequently gain unauthorized access to data, introduce unauthorized changes to the configuration of managed endpoints, or disrupt the operation of the DES service, which corresponds to a high impact on confidentiality, integrity, and availability.
Apply patches available from the vendor according to the references (DriveLock security bulletin 25-006 available at the address indicated in the references). It is also recommended to verify and supplement the agent authentication configuration in DriveLock tenants according to the vendor's guidelines.
DriveLock in versions 24.1 to 24.1.*, 24.2 to 24.2.* and 25.1 to 25.1.*
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HDrivelock
APPDrivelock24.1 – 24.1.424.2 – 24.2.825.1 – 25.1.6
Related vulnerabilities
DriveLock — eskalacja uprawnień przez manipulację procesami uprzywilejowanymi
XSS w DriveLock Operations Center umożliwiający przejęcie sesji
DriveLock — nieautoryzowana eskalacja uprawnień do roli Supervisor przez API
DriveLock — privilege escalation umożliwiające przejęcie kontroli nad systemem
An issue was discovered in DriveLock 24.1 before 24.1.6, 24.2 before 24.2.7, and 25.1 before 25.1.5. An unpriv...