CVE-2022-47636 – This CVE describes a DLL hijacking vulnerabilit... (How to Fix)

Q: What is the severity of CVE-2022-47636?

CVE-2022-47636 has a CVSS score of 7.8 (HIGH). This CVE describes a DLL hijacking vulnerability in OutSystems Service Studio 11. When users open .oml files, the application loads specific DLLs from the same directory, allowing attackers to execute arbitrary code by placing malicious DLLs there. This affects users of OutSystems Service Studio 11 who open untrusted .oml files.

📋 TL;DR

This CVE describes a DLL hijacking vulnerability in OutSystems Service Studio 11. When users open .oml files, the application loads specific DLLs from the same directory, allowing attackers to execute arbitrary code by placing malicious DLLs there. This affects users of OutSystems Service Studio 11 who open untrusted .oml files.

💻 Affected Systems

Products:

OutSystems Service Studio

Versions: 11.53.30 build 61739

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in default installation when opening .oml files from untrusted locations.

📦 What is this software?

Service Studio by Outsystems

View all CVEs affecting Service Studio →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise of the logged-in user account, allowing attackers to install malware, steal credentials, and move laterally within the network.

🟠

Likely Case

Local privilege escalation leading to data theft, persistence establishment, or ransomware deployment on the affected workstation.

🟢

If Mitigated

Limited impact with proper user training and file handling procedures, potentially only affecting isolated systems.

🌐 Internet-Facing: LOW - This requires local file access or user interaction with malicious files, not directly exploitable over the internet.

🏢 Internal Only: HIGH - Internal users opening malicious .oml files from network shares or email attachments can lead to widespread compromise.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires user interaction to open a malicious .oml file. Public exploit code exists on Exploit-DB and Packet Storm.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not provided in references

Restart Required: No

Instructions:

Check OutSystems official security advisories for patch availability. Update to latest version if patch exists.

🔧 Temporary Workarounds

Restrict .oml file handling

windows

Configure Windows to open .oml files with a different application or block execution from untrusted locations.

Implement DLL search order hardening

windows

Use Windows policies to restrict DLL loading from current directory.

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v CWDIllegalInDllSearch /t REG_DWORD /d 0x1 /f

🧯 If You Can't Patch

Train users to never open .oml files from untrusted sources or network shares.
Implement application whitelisting to prevent execution of unauthorized DLLs.

🔍 How to Verify

Check if Vulnerable:

Check if OutSystems Service Studio version is 11.53.30 build 61739. Test by placing a test DLL in same directory as .oml file and monitoring loading behavior.

Check Version:

Check application About dialog or installation directory version information.

Verify Fix Applied:

Verify updated version number and test DLL hijacking with controlled test files.

📡 Detection & Monitoring

Log Indicators:

Windows Event Logs showing DLL loading from unusual locations
Process Monitor logs showing DLL loading from current directory

Network Indicators:

Unusual outbound connections from OutSystems Service Studio process

SIEM Query:

Process creation where parent process is OutSystems Service Studio and command line contains .oml file path from suspicious locations

📊 Metadata

CVE ID: CVE-2022-47636

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-427

Published: August 10, 2023

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/174127/OutSystems-Service-Studio-11.53.30-DLL-Hijacking.html Exploit,Third Party Advisory,VDB Entry
https://www.exploit-db.com/exploits/51678 Exploit,Third Party Advisory,VDB Entry
http://packetstormsecurity.com/files/174127/OutSystems-Service-Studio-11.53.30-DLL-Hijacking.html Exploit,Third Party Advisory,VDB Entry
https://www.exploit-db.com/exploits/51678 Exploit,Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-47636, you might also want to check these: