CVE-2022-28128 – This vulnerability allows attackers to execute ... (How to Fix)

Q: What is the severity of CVE-2022-28128?

CVE-2022-28128 has a CVSS score of 7.8 (HIGH). This vulnerability allows attackers to execute arbitrary code with elevated privileges by placing a malicious DLL in a directory that AttacheCase searches when loading libraries. It affects users of AttacheCase version 3.6.1.0 and earlier on Windows systems.

📋 TL;DR

This vulnerability allows attackers to execute arbitrary code with elevated privileges by placing a malicious DLL in a directory that AttacheCase searches when loading libraries. It affects users of AttacheCase version 3.6.1.0 and earlier on Windows systems.

💻 Affected Systems

Products:

AttacheCase

Versions: 3.6.1.0 and earlier

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability stems from untrusted search path behavior when loading DLLs, common in default Windows configurations where current directory is in the search order.

📦 What is this software?

Attachecase by Hibara

View all CVEs affecting Attachecase →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise via remote code execution with administrative privileges, leading to data theft, ransomware deployment, or persistent backdoor installation.

🟠

Likely Case

Local privilege escalation allowing attackers to gain higher privileges on the system, potentially enabling further lateral movement or malware execution.

🟢

If Mitigated

Limited impact if proper access controls restrict DLL placement or if the software is run with minimal privileges, though exploitation risk remains.

🌐 Internet-Facing: LOW, as exploitation typically requires local access or social engineering to place the DLL, not direct internet exposure.

🏢 Internal Only: MEDIUM, as internal attackers or malware could exploit this if they gain access to place a DLL in a search path, especially in shared or poorly secured environments.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires the attacker to place a malicious DLL in a directory that AttacheCase searches, which may involve social engineering or local access; no public proof-of-concept has been disclosed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 3.6.2.0 or later

Vendor Advisory: https://hibara.org/software/attachecase/?lang=en

Restart Required: Yes

Instructions:

1. Download the latest version from the official AttacheCase website. 2. Uninstall the old version. 3. Install the new version. 4. Restart the system to ensure changes take effect.

🔧 Temporary Workarounds

Restrict DLL search path

windows

Modify the DLL search order to prioritize system directories over current directory, reducing risk of loading malicious DLLs.

Use Group Policy or registry settings to set SafeDllSearchMode to 1 (enabled) in HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager

Run with limited privileges

windows

Execute AttacheCase with non-administrative user accounts to limit the impact of privilege escalation.

🧯 If You Can't Patch

Monitor and restrict write permissions to directories in the DLL search path to prevent unauthorized DLL placement.
Use application whitelisting or antivirus software to block execution of unknown or malicious DLLs.

🔍 How to Verify

Check if Vulnerable:

Check the AttacheCase version by opening the software and navigating to Help > About; if version is 3.6.1.0 or earlier, it is vulnerable.

Check Version:

attachecase.exe --version or check in Help > About menu

Verify Fix Applied:

After updating, confirm the version is 3.6.2.0 or later via Help > About, and test that DLL loading from untrusted paths is blocked.

📡 Detection & Monitoring

Log Indicators:

Unexpected DLL load events from non-system directories in Windows Event Logs (e.g., Event ID 7 in Application logs).

Network Indicators:

Unusual outbound connections from AttacheCase process post-exploitation, though exploitation is local.

SIEM Query:

EventID=7 AND ProcessName="attachecase.exe" AND ImageLoaded CONTAINS "user" OR "temp"

📊 Metadata

CVE ID: CVE-2022-28128

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-427

Published: March 31, 2022

Last Updated: November 21, 2024

🔗 References

https://hibara.org/software/attachecase/?lang=en Product,Vendor Advisory
https://jvn.jp/en/jp/JVN10140834/index.html Third Party Advisory
https://hibara.org/software/attachecase/?lang=en Product,Vendor Advisory
https://jvn.jp/en/jp/JVN10140834/index.html Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-28128, you might also want to check these: