CVE-2022-24138 – This vulnerability allows low-privileged users ... (How to Fix)

Q: What is the severity of CVE-2022-24138?

CVE-2022-24138 has a CVSS score of 7.8 (HIGH). This vulnerability allows low-privileged users to replace legitimate IOBit software components with malicious executables during the download process, enabling privilege escalation to administrator level. It affects users of IOBit Advanced System Care 15 and Action Download Center on Windows systems where multiple users share the same computer.

📋 TL;DR

This vulnerability allows low-privileged users to replace legitimate IOBit software components with malicious executables during the download process, enabling privilege escalation to administrator level. It affects users of IOBit Advanced System Care 15 and Action Download Center on Windows systems where multiple users share the same computer.

💻 Affected Systems

Products:

IOBit Advanced System Care
IOBit Action Download Center

Versions: Version 15 (Advanced System Care), unspecified versions of Action Download Center

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Requires Windows systems with multiple user accounts where low-privileged users can access ProgramData folder.

📦 What is this software?

Advanced Systemcare by Iobit

View all CVEs affecting Advanced Systemcare →

Advanced Systemcare by Iobit

View all CVEs affecting Advanced Systemcare →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker gains full administrative control of the system, enabling installation of persistent malware, data theft, or complete system compromise.

🟠

Likely Case

Local privilege escalation allowing attackers to bypass security controls and execute arbitrary code with elevated privileges.

🟢

If Mitigated

Limited impact if proper access controls restrict low-privileged users from accessing ProgramData folder or if software runs with minimal privileges.

🌐 Internet-Facing: LOW - This is primarily a local privilege escalation vulnerability requiring local access to the system.

🏢 Internal Only: HIGH - In shared computing environments, any low-privileged user could exploit this to gain administrative access.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploit requires local access and knowledge of SetOpLock technique. Proof of concept code is publicly available on GitHub.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Unknown

Restart Required: No

Instructions:

Check IOBit website for security updates. Uninstall affected software if no patch is available.

🔧 Temporary Workarounds

Restrict ProgramData Folder Permissions

windows

Modify NTFS permissions on ProgramData folder to prevent low-privileged users from writing or modifying files.

icacls "C:\ProgramData" /deny "Users":(OI)(CI)W

Remove Vulnerable Software

windows

Uninstall IOBit Advanced System Care 15 and Action Download Center from affected systems.

Control Panel > Programs > Uninstall a program

🧯 If You Can't Patch

Implement strict access controls on shared systems to prevent low-privileged users from executing arbitrary code
Monitor ProgramData folder for unauthorized file modifications using file integrity monitoring tools

🔍 How to Verify

Check if Vulnerable:

Check if IOBit Advanced System Care 15 or Action Download Center is installed and verify ProgramData folder permissions allow low-privileged users write access.

Check Version:

Check installed programs in Control Panel or run: wmic product where "name like '%IOBit%'" get name,version

Verify Fix Applied:

Verify ProgramData folder permissions deny write access to low-privileged users and affected software is removed or updated.

📡 Detection & Monitoring

Log Indicators:

File creation/modification events in ProgramData folder by low-privileged users
Process creation events showing privilege escalation patterns

Network Indicators:

Unusual outbound connections from IOBit processes
Downloads to ProgramData folder from untrusted sources

SIEM Query:

EventID=4688 AND NewProcessName LIKE '%asc.exe%' AND SubjectUserName NOT IN (admin_users_list)

📊 Metadata

CVE ID: CVE-2022-24138

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-552

Published: July 6, 2022

Last Updated: November 21, 2024

🔗 References

http://advanced.com Not Applicable
http://iobit.com Vendor Advisory
https://github.com/tomerpeled92/CVE/ Third Party Advisory
http://advanced.com Not Applicable
http://iobit.com Vendor Advisory
https://github.com/tomerpeled92/CVE/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-24138, you might also want to check these: