Full Report
The McAfee Labs Advanced Threat Research team is committed to uncovering security issues in both software and hardware to help... The post Netop Vision Pro – Distance Learning Software is 20/20 in Hindsight appeared first on McAfee Blog.
Analysis Summary
# Vulnerability: Multiple Critical Flaws in Netop Vision Pro Leading to Remote Code Execution and Eavesdropping
## CVE Details
- CVE ID: CVE-2021-27192, CVE-2021-27193, CVE-2021-27194, CVE-2021-27195
- CVSS Score: Not explicitly listed, but described as **Critical** issues allowing for Elevation of Privileges (EoP) and Remote Code Execution (RCE).
- CWE: Not specified for all, but implied local EoP and potential injection/data exposure issues (for CVE-2021-27194, clear-text transmission).
## Affected Systems
- Products: Netop Vision Pro
- Versions: Prior to Netop Vision Pro 9.7.2
- Configurations: Standard configurations utilized in K-12 environments (Teacher/Student setup). The issues are most impactful when the network is compromised, such as during distance learning setups.
## Vulnerability Description
McAfee researchers discovered four critical, unreported vulnerabilities in Netop Vision Pro. These flaws allow an attacker on the same network to gain full control over student computers, primarily by exploiting the student agent running with elevated permissions (System).
Key issues identified include:
1. **Plaintext Network Traffic (CVE-2021-27194):** All network traffic, including Windows credentials transmitted during a "Log on" command and real-time student screen captures, was sent unencrypted.
2. **Privilege Escalation/RCE Potential:** Flaws related to component permissions allowed attackers to potentially escalate privileges on the student agent, which ran as a System service. This led to successful mitigation of LPE and arbitrary read/writes within the MChat client in the patched version.
## Exploitation
- Status: PoC available (Researcher analysis confirms successful exploitation paths leading to EoP and RCE potential).
- Complexity: Implied **Low to Medium** complexity as vulnerabilities were found easily during setup (e.g., unencrypted traffic, misconfigured permissions).
- Attack Vector: **Adjacent Network** (An attacker must be on the same local network as the victim machine).
## Impact
- Confidentiality: **High** (Plaintext transmission of credentials and real-time screen monitoring).
- Integrity: **High** (Ability to execute code with System privileges).
- Availability: **Medium** (Potential for system disruption/denial of service via code execution).
## Remediation
### Patches
- **Netop Vision Pro 9.7.2 (Released February 2021):**
* Fixed local privilege escalations (plugins now run as the student user instead of System).
* Encrypted Windows credentials using RC4 during transmission.
* Mitigated arbitrary read/writes on the remote filesystem within the MChat client.
### Workarounds
- **Network Segmentation:** Given the requirement for an adjacent network attacker, strict network segmentation should be enforced to prevent unauthorized access to classroom/student networks.
- **Future Update:** Netop is reportedly working on implementing encryption for **all** network traffic, including screenshots, in a future update (as of the time of the advisory). Users should monitor for this enhancement.
## Detection
- **Indicators of Compromise:**
* Anomalous system service activity originating from the Netop student agent running elevated privileges (prior to patching).
* Detection of unencrypted network traffic (e.g., Windows credentials, continuous streams of image data) associated with Netop processes on the network.
- **Detection Methods and Tools:**
* Network traffic analysis tools configured to detect unencrypted communication between Netop components.
* Host-based intrusion detection systems monitoring processes running as `System` initiated by the Netop agent components.
## References
- Vendor advisory: Netop
- Research Disclosure: McAfee Labs Advanced Threat Research
- Links (Defanged):
* hXXps://www[.]netop[.]com/vision/
* hXXps://cve[.]mitre[.]org/cgi-bin/cvename[.]cgi?name=CVE-2021-27192
* hXXps://cve[.]mitre[.]org/cgi-bin/cvename[.]cgi?name=CVE-2021-27193
* hXXps://cve[.]mitre[.]org/cgi-bin/cvename[.]cgi?name=CVE-2021-27194
* hXXps://cve[.]mitre[.]org/cgi-bin/cvename[.]cgi?name=CVE-2021-27195