Login Sign Up

CVE-2021-30110

7.5 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability in Domain Time II's dttray.exe allows remote attackers to execute arbitrary code by spoofing update server responses. Attackers can send malicious URLs in response to UDP update queries, leading to code execution on affected systems. Organizations using Domain Time II before version 5.2.b.20210331 are affected.

💻 Affected Systems

Products:
  • Greyware Automation Products Domain Time II
Versions: All versions before 5.2.b.20210331
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Systems with dttray.exe running and configured to check for updates are vulnerable.

📦 What is this software?

Domain Time Ii by Greyware

View all CVEs affecting Domain Time Ii →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining administrative privileges, installing persistent backdoors, and moving laterally through the network.

🟠

Likely Case

Initial foothold on target system leading to data exfiltration, credential theft, or ransomware deployment.

🟢

If Mitigated

Attack blocked at network perimeter or detected before successful exploitation, with minimal impact.

🌐 Internet-Facing: HIGH - The vulnerability requires only UDP communication which can be initiated from the internet if systems are exposed.
🏢 Internal Only: MEDIUM - Internal attackers could exploit this if they can reach vulnerable systems on the network.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires network access to the target and ability to spoof update server responses.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.2.b.20210331 or later

Vendor Advisory: https://www.greyware.com/software/domaintime/v5/installation/v5x.asp#currentVersion

Restart Required: Yes

Instructions:

1. Download latest version from Greyware website. 2. Run installer. 3. Restart system or Domain Time II service.

🔧 Temporary Workarounds

Block UDP Update Queries

windows

Prevent dttray.exe from making UDP queries to check for updates

netsh advfirewall firewall add rule name="Block Domain Time UDP" dir=out action=block protocol=UDP remoteport=123 program="C:\Program Files\Domain Time II\dttray.exe" enable=yes

Disable Automatic Updates

windows

Configure Domain Time II to not check for updates automatically

🧯 If You Can't Patch

  • Segment network to restrict UDP traffic to/from Domain Time II systems
  • Implement network monitoring for suspicious UDP traffic patterns on port 123

🔍 How to Verify

Check if Vulnerable:

Check Domain Time II version in About dialog or registry at HKEY_LOCAL_MACHINE\SOFTWARE\Greyware\Domain Time II\Version

Check Version:

reg query "HKLM\SOFTWARE\Greyware\Domain Time II" /v Version

Verify Fix Applied:

Verify version is 5.2.b.20210331 or later and test update functionality

📡 Detection & Monitoring

Log Indicators:

  • Unexpected process creation from dttray.exe
  • Network connections to unusual IPs from Domain Time II

Network Indicators:

  • UDP traffic on port 123 to non-Greyware IPs
  • HTTP/HTTPS traffic from dttray.exe to suspicious domains

SIEM Query:

process_name:dttray.exe AND (network_protocol:UDP OR destination_port:123) AND NOT destination_ip:greyware.com

📊 Metadata

CVE ID: CVE-2021-30110
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Published: July 22, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON