Silicon Labs: Software and driver installer with DLL injection vulnerabilities
Attackers can exploit a DLL injection vulnerability in ten Silicon Labs software and driver installers.
(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
In particular, Silicon Labs produces circuits for connecting older serial interfaces (protocols) to USB. In many cases, the installation programs for the associated drivers and software have a security vulnerability that makes it possible to insert your libraries and thus inject your code.
Silicon Labs hides a summary behind a log-in. However, the CVE entries for the vulnerable products are public. According to them, the installers do not filter the search path properly, which opens up these so-called DLL injection gaps. Attackers can exploit this to extend their rights or execute arbitrary code when starting the installers.
Videos by heise
In total, the installation packages for ten Silicon Labs products are affected:
- Silicon Labs (8-bit) IDE(CVE-2024-9490, CVSS 8.6, risk “high”)
- Silicon Labs Configuration Wizard 2(CVE-2024-9491, CVSS 8.6, high)
- Silicon Labs Flash Programming Utility(CVE-2024-9492, CVSS 8.6, high)
- Silicon Labs ToolStick(CVE-2024-9493, CVSS 8.6, high)
- Silicon Labs CP210 VCP Win 2k(CVE-2024-9494, CVSS 8.6, high)
- Silicon Labs CP210x VCP Windows(CVE-2024-9495, CVSS 8.6, high)
- Silicon Labs USBXpress Dev Kit(CVE-2024-9496, CVSS 8.6, high)
- Silicon Labs USBXpress 4 SDK(CVE-2024-9497, CVSS 8.6, high)
- Silicon Labs USBXpress SDK(CVE-2024-9498, CVSS 8.6, high)
- Silicon Labs USBXpress Win 98SE Dev Kit(CVE-2024-9499, CVSS 8.6, high)
The installation programs for outdated operating systems, such as USBXpress, are available in apparently vulnerable versions on the Silicon Labs download page. Anyone who still needs this software should contact the company's support and ask for error-corrected installation programs. Apart from a universal Windows driver for the CP210x VCP modules, the installers for the USB converters are also older. It may also help to ask the manufacturer's support team for error-corrected installation packages.
Those affected should move the previous installation programs to non-permanently connected media such as USB sticks and delete them from the computer so that attackers cannot misuse them to extend their rights.
DLL injection vulnerabilities occur more frequently and jeopardize the security of systems. In 2021, for example, Kaseya's Unitrend Windows Agent also had a DLL injection vulnerability and a binary planting vulnerability, making it possible to inject foreign code.
(dmk)
