{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-47577", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-08-03T14:55:08.395Z", "dateReserved": "2022-12-19T00:00:00", "datePublished": "2022-12-20T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2022-12-27T00:00:00"}, "descriptions": [{"lang": "en", "value": "An issue was discovered in the endpoint protection agent in Zoho ManageEngine Device Control Plus 10.1.2228.15. Despite configuring complete restrictions on USB pendrives, USB HDD devices, memory cards, USB connections to mobile devices, etc., it is still possible to bypass the USB restrictions by making use of a virtual machine (VM). This allows a file to be exchanged outside the laptop/system. VMs can be created by any user (even without admin rights). The data exfiltration can occur without any record in the audit trail of Windows events on the host machine. NOTE: the vendor's position is \"it's not a vulnerability in our product.\""}], "tags": ["disputed"], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://medium.com/nestedif/vulnerability-disclosure-business-logic-unauthorized-data-exfiltration-bypassing-dlp-zoho-cc51465ba84a"}, {"url": "https://www.manageengine.com/device-control/how-to/device-control.html"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AC:L/AV:L/A:N/C:H/I:H/PR:L/S:U/UI:N", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH"}}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-03T17:48:09.788539Z", "id": "CVE-2022-47577", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-03T17:48:16.494Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T14:55:08.395Z"}, "title": "CVE Program Container", "references": [{"url": "https://medium.com/nestedif/vulnerability-disclosure-business-logic-unauthorized-data-exfiltration-bypassing-dlp-zoho-cc51465ba84a", "tags": ["x_transferred"]}, {"url": "https://www.manageengine.com/device-control/how-to/device-control.html", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://medium.com/nestedif/vulnerability-disclosure-business-logic-unauthorized-data-exfiltration-bypassing-dlp-zoho-cc51465ba84a", "tags": ["x_transferred"]}, {"url": "https://www.manageengine.com/device-control/how-to/device-control.html", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T14:55:08.395Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-47577", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-03T17:48:09.788539Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-03T17:48:13.880Z"}}], "cna": {"tags": ["disputed"], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AC:L/AV:L/A:N/C:H/I:H/PR:L/S:U/UI:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://medium.com/nestedif/vulnerability-disclosure-business-logic-unauthorized-data-exfiltration-bypassing-dlp-zoho-cc51465ba84a"}, {"url": "https://www.manageengine.com/device-control/how-to/device-control.html"}], "descriptions": [{"lang": "en", "value": "An issue was discovered in the endpoint protection agent in Zoho ManageEngine Device Control Plus 10.1.2228.15. Despite configuring complete restrictions on USB pendrives, USB HDD devices, memory cards, USB connections to mobile devices, etc., it is still possible to bypass the USB restrictions by making use of a virtual machine (VM). This allows a file to be exchanged outside the laptop/system. VMs can be created by any user (even without admin rights). The data exfiltration can occur without any record in the audit trail of Windows events on the host machine. NOTE: the vendor's position is \"it's not a vulnerability in our product.\""}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2022-12-27T00:00:00"}}}, "cveMetadata": {"cveId": "CVE-2022-47577", "state": "PUBLISHED", "dateUpdated": "2024-08-03T14:55:08.395Z", "dateReserved": "2022-12-19T00:00:00", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2022-12-20T00:00:00", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:zohocorp:manageengine_device_control_plus:10.1.2228.15:*:*:*:*:*:*:*", "matchCriteriaId": "8DF55C54-54D8-4599-AE20-C216D2EA5F27", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [{"sourceIdentifier": "cve@mitre.org", "tags": ["disputed"]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in the endpoint protection agent in Zoho ManageEngine Device Control Plus 10.1.2228.15. Despite configuring complete restrictions on USB pendrives, USB HDD devices, memory cards, USB connections to mobile devices, etc., it is still possible to bypass the USB restrictions by making use of a virtual machine (VM). This allows a file to be exchanged outside the laptop/system. VMs can be created by any user (even without admin rights). The data exfiltration can occur without any record in the audit trail of Windows events on the host machine. NOTE: the vendor's position is \"it's not a vulnerability in our product.\""}, {"lang": "es", "value": "** EN DISPUTA ** Se descubri\u00f3 un problema en el agente de protecci\u00f3n de endpoints en Zoho ManageEngine Device Control Plus 10.1.2228.15. A pesar de configurar restricciones completas en pendrives USB, dispositivos HDD USB, tarjetas de memoria, conexiones USB a dispositivos m\u00f3viles, etc., todav\u00eda es posible saltarse las restricciones USB haciendo uso de una m\u00e1quina virtual (VM). Esto permite intercambiar un archivo fuera de la computadora port\u00e1til/sistema. Cualquier usuario puede crear m\u00e1quinas virtuales (incluso sin derechos de administrador). La filtraci\u00f3n de datos puede ocurrir sin ning\u00fan registro en el registro de auditor\u00eda de eventos de Windows en la m\u00e1quina host. NOTA: la posici\u00f3n del proveedor es \"no es una vulnerabilidad en nuestro producto\"."}], "id": "CVE-2022-47577", "lastModified": "2024-08-03T15:15:49.830", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.2, "source": "cve@mitre.org", "type": "Secondary"}]}, "published": "2022-12-20T04:15:09.790", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://medium.com/nestedif/vulnerability-disclosure-business-logic-unauthorized-data-exfiltration-bypassing-dlp-zoho-cc51465ba84a"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://www.manageengine.com/device-control/how-to/device-control.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}