############################################################# # # COMPASS SECURITY ADVISORY # https://www.compass-security.com/research/advisories/ # ############################################################# # # Product: HYPR Workforce Access [1] # Vendor: HYPR [2] # CSNC ID: CSNC-2022-008 # CVE ID: CVE-2022-1984 # Subject: Unsafe Deserialization # Risk: High # Effect: Locally exploitable # Author: Philipp Mao # Date: 10.6.2022 # ############################################################# Introduction: ------------- HYPR workforce access allows employees to login to their machine using only their smartphone (without having to enter a password). The HYPRUnlockGateway service exposes a named pipe, which deserializes input in an unsafe manner, leading to local privilege escalation. Affected: --------- HYPR Workforce Access < 7.3.0 Technical Description --------------------- The HYPRUnlockGateway service exposes a named pipe. The Log function which can be called via this pipe deserializes the input in an unsafe manner: public static LoggingEvent ConvertStringToLogginngEvent( string loggingEventSerialized) { [CUT BY COMPASS] byte[] buffer = Convert.FromBase64String(loggingEventSerialized); return (LoggingEvent) new BinaryFormatter().Deserialize((Stream) new MemoryStream(buffer, 0, buffer.Length)); }} public void Log(string loggingEventSerialized) { [CUT BY COMPASS] HyprUnlockGateway.j.DoAppend(WsLogger.ConvertStringToLogginngEvent(loggingEventSerialized)); [CUT BY COMPASS]}} A local user on the machine can send serialized payloads to the log function and escalate privileges to the SYSTEM user. Workaround / Fix: ----------------- Update to the newest HYPR Workforce Access version Timeline: --------- 2021-02-21: Discovery by Philipp Mao 2021-02-21: Initial vendor notification/response 2022-05-11: Fixed version released 2022-10-05: Advisory publication References: ----------- [1] https://www.hypr.com/workforce-authentication/ [2] https://www.hypr.com/