CVE-2023-4936 - Vulnerability Details - OpenCVE

It is possible to sideload a compromised DLL during the installation at elevated privilege.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact High

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0005.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Synaptics	Displaylink Usb Graphics

Configuration 1 [-]

cpe:2.3:a:synaptics:displaylink_usb_graphics:*:*:*:*:*:windows:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2023-54772	It is possible to sideload a compromised DLL during the installation at elevated privilege.

Fixes

Solution

No solution given by the vendor.

Workaround

update to 11.2M0

References

Link	Providers
https://www.synaptics.com/
https://www.synaptics.com/products/displaylink-graphics/downloads/windows
https://www.synaptics.com/sites/default/files/nr-154525-tc-synaptics_displaylink_windows_driver_security_brief_-_oct2023.pdf

History

Wed, 18 Sep 2024 19:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: Synaptics

Published: 2023-10-11T17:00:07.311Z

Updated: 2024-09-18T18:42:24.025Z

Reserved: 2023-09-13T13:08:54.293Z

Link: CVE-2023-4936

Vulnrichment

Updated: 2024-08-02T07:44:52.647Z

NVD

Status : Modified

Published: 2023-10-11T17:15:11.117

Modified: 2024-11-21T08:36:18.317

Link: CVE-2023-4936

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-4936", "assignerOrgId": "54bb2a58-4278-44a9-851f-17e74ee51f48", "state": "PUBLISHED", "assignerShortName": "Synaptics", "dateReserved": "2023-09-13T13:08:54.293Z", "datePublished": "2023-10-11T17:00:07.311Z", "dateUpdated": "2024-09-18T18:42:24.025Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "platforms": ["Windows"], "product": "DisplayLink USB Graphics Software for Windows", "vendor": "Synaptics", "versions": [{"lessThanOrEqual": "11.1 M1", "status": "affected", "version": "0", "versionType": "custom"}, {"status": "unaffected", "version": "11.2M0"}]}], "datePublic": "2023-10-11T16:44:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "It is possible to sideload a compromised DLL during the installation at elevated privilege."}], "value": "It is possible to sideload a compromised DLL during the installation at elevated privilege."}], "impacts": [{"capecId": "CAPEC-184", "descriptions": [{"lang": "en", "value": "CAPEC-184 Software Integrity Attack"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:H/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-269", "description": "CWE-269 Improper Privilege Management", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "54bb2a58-4278-44a9-851f-17e74ee51f48", "shortName": "Synaptics", "dateUpdated": "2023-10-11T17:00:07.311Z"}, "references": [{"url": "https://www.synaptics.com/"}, {"url": "https://www.synaptics.com/products/displaylink-graphics/downloads/windows"}, {"url": "https://www.synaptics.com/sites/default/files/nr-154525-tc-synaptics_displaylink_windows_driver_security_brief_-_oct2023.pdf"}], "source": {"discovery": "EXTERNAL"}, "title": "Synaptics-DisplayLink-privilege escalation vulnerability via a dynamic library sideloading", "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "update to 11.2M0"}], "value": "update to 11.2M0"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T07:44:52.647Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.synaptics.com/", "tags": ["x_transferred"]}, {"url": "https://www.synaptics.com/products/displaylink-graphics/downloads/windows", "tags": ["x_transferred"]}, {"url": "https://www.synaptics.com/sites/default/files/nr-154525-tc-synaptics_displaylink_windows_driver_security_brief_-_oct2023.pdf", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-18T18:42:15.398969Z", "id": "CVE-2023-4936", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-18T18:42:24.025Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.synaptics.com/", "tags": ["x_transferred"]}, {"url": "https://www.synaptics.com/products/displaylink-graphics/downloads/windows", "tags": ["x_transferred"]}, {"url": "https://www.synaptics.com/sites/default/files/nr-154525-tc-synaptics_displaylink_windows_driver_security_brief_-_oct2023.pdf", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T07:44:52.647Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-4936", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-18T18:42:15.398969Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-18T18:42:18.720Z"}}], "cna": {"title": "Synaptics-DisplayLink-privilege escalation vulnerability via a dynamic library sideloading", "source": {"discovery": "EXTERNAL"}, "impacts": [{"capecId": "CAPEC-184", "descriptions": [{"lang": "en", "value": "CAPEC-184 Software Integrity Attack"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Synaptics", "product": "DisplayLink USB Graphics Software for Windows", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "11.1 M1"}, {"status": "unaffected", "version": "11.2M0"}], "platforms": ["Windows"], "defaultStatus": "unaffected"}], "datePublic": "2023-10-11T16:44:00.000Z", "references": [{"url": "https://www.synaptics.com/"}, {"url": "https://www.synaptics.com/products/displaylink-graphics/downloads/windows"}, {"url": "https://www.synaptics.com/sites/default/files/nr-154525-tc-synaptics_displaylink_windows_driver_security_brief_-_oct2023.pdf"}], "workarounds": [{"lang": "en", "value": "update to 11.2M0", "supportingMedia": [{"type": "text/html", "value": "update to 11.2M0", "base64": false}]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "It is possible to sideload a compromised DLL during the installation at elevated privilege.", "supportingMedia": [{"type": "text/html", "value": "It is possible to sideload a compromised DLL during the installation at elevated privilege.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-269", "description": "CWE-269 Improper Privilege Management"}]}], "providerMetadata": {"orgId": "54bb2a58-4278-44a9-851f-17e74ee51f48", "shortName": "Synaptics", "dateUpdated": "2023-10-11T17:00:07.311Z"}}}, "cveMetadata": {"cveId": "CVE-2023-4936", "state": "PUBLISHED", "dateUpdated": "2024-09-18T18:42:24.025Z", "dateReserved": "2023-09-13T13:08:54.293Z", "assignerOrgId": "54bb2a58-4278-44a9-851f-17e74ee51f48", "datePublished": "2023-10-11T17:00:07.311Z", "assignerShortName": "Synaptics"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:synaptics:displaylink_usb_graphics:*:*:*:*:*:windows:*:*", "matchCriteriaId": "556A4D18-8E24-49D3-B621-EC40C16431E4", "versionEndExcluding": "11.2m0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "It is possible to sideload a compromised DLL during the installation at elevated privilege."}, {"lang": "es", "value": "Es posible descargar una DLL comprometida durante la instalaci\u00f3n con privilegios elevados."}], "id": "CVE-2023-4936", "lastModified": "2024-11-21T08:36:18.317", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 0.8, "impactScore": 4.7, "source": "PSIRT@synaptics.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-10-11T17:15:11.117", "references": [{"source": "PSIRT@synaptics.com", "tags": ["Product"], "url": "https://www.synaptics.com/"}, {"source": "PSIRT@synaptics.com", "tags": ["Product"], "url": "https://www.synaptics.com/products/displaylink-graphics/downloads/windows"}, {"source": "PSIRT@synaptics.com", "tags": ["Vendor Advisory"], "url": "https://www.synaptics.com/sites/default/files/nr-154525-tc-synaptics_displaylink_windows_driver_security_brief_-_oct2023.pdf"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product"], "url": "https://www.synaptics.com/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product"], "url": "https://www.synaptics.com/products/displaylink-graphics/downloads/windows"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.synaptics.com/sites/default/files/nr-154525-tc-synaptics_displaylink_windows_driver_security_brief_-_oct2023.pdf"}], "sourceIdentifier": "PSIRT@synaptics.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-269"}], "source": "PSIRT@synaptics.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-427"}], "source": "nvd@nist.gov", "type": "Primary"}]}