CVE-2022-32972
📋 TL;DR
CVE-2022-32972 is a DLL injection vulnerability in Infoblox BloxOne Endpoint for Windows that allows local attackers to execute arbitrary code with elevated privileges. This affects Windows systems running vulnerable versions of the BloxOne Endpoint software. Attackers can exploit this to gain SYSTEM-level access on compromised machines.
💻 Affected Systems
- Infoblox BloxOne Endpoint
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with SYSTEM privileges, enabling installation of persistent malware, credential theft, lateral movement, and disabling of security controls.
Likely Case
Local privilege escalation from a standard user account to SYSTEM, allowing attackers to bypass security restrictions and maintain persistence on the system.
If Mitigated
Limited impact if proper endpoint protection and least privilege principles are enforced, though local privilege escalation remains possible.
🎯 Exploit Status
Exploitation requires local access to the system. DLL injection techniques are well-documented and relatively easy to implement.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 2.2.8 and later
Vendor Advisory: https://community.infoblox.com/t5/trending-kb-articles/cve-2022-32972-infoblox-bloxone-endpoint-for-windows-local/ba-p/24912
Restart Required: Yes
Instructions:
1. Download BloxOne Endpoint version 2.2.8 or later from Infoblox support portal. 2. Run the installer with administrative privileges. 3. Restart the system after installation completes.
🔧 Temporary Workarounds
Restrict DLL loading
windowsConfigure Windows to restrict DLL loading from untrusted locations
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v CWDIllegalInDllSearch /t REG_DWORD /d 0x1 /f
Remove unnecessary privileges
windowsRun BloxOne Endpoint service with reduced privileges
sc config "BloxOne Endpoint" obj= "NT AUTHORITY\LocalService"
🧯 If You Can't Patch
- Implement strict application whitelisting to prevent unauthorized DLL loading
- Enforce least privilege principles and remove local administrator rights from standard users
🔍 How to Verify
Check if Vulnerable:
Check BloxOne Endpoint version in Control Panel > Programs and Features. Versions 2.2.7 and earlier are vulnerable.Check Version:
wmic product where "name like 'Infoblox BloxOne Endpoint%'" get versionVerify Fix Applied:
Verify version is 2.2.8 or later in Control Panel > Programs and Features, and check that the service is running properly.📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs showing DLL loading from unusual locations
- Process creation events with parent process of BloxOne Endpoint service
Network Indicators:
- Unusual outbound connections from BloxOne Endpoint process
SIEM Query:
process_name:"bloxone*" AND (file_path:*\temp\* OR file_path:*\users\*) AND action:"create"