CVE-2024-12168
📋 TL;DR
Yandex Telemost for Desktop versions before 2.7.0 are vulnerable to DLL hijacking due to an untrusted search path. Attackers can place malicious DLLs in directories searched by the application, potentially executing arbitrary code when the application loads. This affects all users running vulnerable versions of Yandex Telemost for Desktop.
💻 Affected Systems
- Yandex Telemost for Desktop
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining the same privileges as the user running Yandex Telemost, potentially leading to data theft, ransomware deployment, or persistent backdoor installation.
Likely Case
Local privilege escalation or arbitrary code execution in the context of the user running the vulnerable application, allowing attackers to steal credentials, access sensitive files, or pivot to other systems.
If Mitigated
Limited impact if proper application control policies are in place, user privileges are restricted, and DLL search order hardening is implemented.
🎯 Exploit Status
DLL hijacking is a well-known attack technique with established exploitation methods. Exploitation requires the attacker to place a malicious DLL in a directory that the application searches before legitimate system directories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.7.0
Vendor Advisory: https://yandex.com/bugbounty/i/hall-of-fame-products
Restart Required: Yes
Instructions:
1. Download Yandex Telemost for Desktop version 2.7.0 or later from official Yandex sources. 2. Uninstall the previous version. 3. Install the updated version. 4. Restart the system to ensure all components are properly loaded.
🔧 Temporary Workarounds
Restrict DLL Search Path
windowsUse Windows policies or application control solutions to restrict where Yandex Telemost can load DLLs from.
Set-ProcessMitigation -Name "telemost.exe" -Enable ForceRelocateImages
Use AppLocker or Windows Defender Application Control to restrict DLL loading
Remove Write Permissions
windowsRemove write permissions from directories that Yandex Telemost searches for DLLs before system directories.
icacls "C:\Program Files\Yandex\Telemost" /deny Users:(OI)(CI)W
icacls "%APPDATA%\Yandex\Telemost" /deny Users:(OI)(CI)W
🧯 If You Can't Patch
- Run Yandex Telemost with minimal user privileges (not as administrator)
- Implement application control policies to prevent execution of unauthorized DLLs
- Monitor for suspicious DLL loading events in Windows Event Logs
🔍 How to Verify
Check if Vulnerable:
Check the Yandex Telemost version in the application's About section or via 'Get-ItemProperty' for the installation directory. Versions below 2.7.0 are vulnerable.Check Version:
Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | Where-Object {$_.DisplayName -like "*Yandex Telemost*"} | Select-Object DisplayName, DisplayVersionVerify Fix Applied:
Confirm the installed version is 2.7.0 or higher and test that the application functions normally after update.📡 Detection & Monitoring
Log Indicators:
- Windows Event ID 4688 (process creation) showing telemost.exe loading DLLs from unusual locations
- Sysmon Event ID 7 (Image loaded) showing DLLs loaded from user-writable directories
Network Indicators:
- Unusual network connections originating from telemost.exe process after DLL load
SIEM Query:
source="Windows Security" EventID=4688 AND ProcessName="*telemost.exe" AND CommandLine="*dll*" | stats count by Image, ParentProcessName, CommandLine