ALPS ALPINE Touchpad DLL Hijacking

2020.07.21
Credit: Caiyuan Xie
Risk: Medium
Local: Yes
Remote: No
CWE: CWE-200


CVSS Base Score: 4.6/10
Impact Subscore: 6.4/10
Exploitability Subscore: 3.9/10
Exploit range: Local
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

Summary: A vulnerability to DLL preloading attacks was found in the ALPS ALPINE Touchpad driver, which might allow an attacker to execute malicious code. ALPS ALPINE has released updates to mitigate this potential vulnerability. Vulnerability Details: The ALPS ALPINE Touchpad driver may try to load DLLs that are not always present in the driver package. If an attacker can gain control of one of the DLL search directories, a malicious copy of the DLL can be placed in that directory and make the vulnerable ALPS ALPINE driver component run malicious code in it. CVE: CVE-2020-15596 CVSS Base Score: 6.4 Medium (if the attacker can get administrative privileges) CVSS Vector: CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H Affected Products: ALPS ALPINE Touchpad driver Recommendation: ALPS ALPINE has worked with OEMs and ODMs to develop software updates that can protect systems from the vulnerability. The solution has been confirmed by AFINE, who discovered and reported the vulnerability. End users and systems administrators should check with their system manufacturers and system software vendors and apply any available updates as soon as practical. Acknowledgments: ALPS ALPINE would like to thank AFINE for finding the vulnerability and validating the solution, as well as the OEM and ODM partners for their support. Best Regards Shirley


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top