CVE-2024-57394
📋 TL;DR
This vulnerability in Qi-ANXIN Tianqing Endpoint Security Management System allows authenticated users to restore quarantined malicious files to arbitrary system paths. Attackers can exploit this to write malicious DLLs to system directories and perform privilege escalation via DLL hijacking. Organizations using version 10.0 of this endpoint security software are affected.
💻 Affected Systems
- Qi-ANXIN Tianqing Endpoint Security Management System
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise through privilege escalation to SYSTEM/administrator level, enabling lateral movement, data exfiltration, and persistent backdoor installation.
Likely Case
Local privilege escalation allowing attackers to gain administrative privileges on compromised endpoints, potentially leading to credential theft and further network access.
If Mitigated
Limited impact if proper access controls, application whitelisting, and DLL hijacking protections are implemented.
🎯 Exploit Status
Public proof-of-concept available on GitHub. Requires authenticated access but the exploit chain is well-documented. DLL hijacking techniques are well-known in Windows environments.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: https://en.qianxin.com/product/detail/165
Restart Required: No
Instructions:
1. Check vendor website for security updates. 2. Apply any available patches. 3. Verify the quarantine-restore function no longer allows arbitrary path writing.
🔧 Temporary Workarounds
Restrict Quarantine Access
allLimit access to quarantine restore functionality to trusted administrators only.
Enable DLL Protection
windowsConfigure Windows to prevent DLL hijacking attacks.
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager" -Name "CWDIllegalInDllSearch" -Value 0x1
🧯 If You Can't Patch
- Implement strict access controls on the Tianqing management interface
- Deploy application control/whitelisting to prevent unauthorized DLL execution
🔍 How to Verify
Check if Vulnerable:
Test if authenticated users can restore quarantined files to arbitrary system paths using the management interface.Check Version:
Check software version in Tianqing management console or via vendor documentationVerify Fix Applied:
Verify that quarantine restore function validates destination paths and prevents writing to system directories.📡 Detection & Monitoring
Log Indicators:
- Unusual quarantine restore operations
- DLL writes to system directories from Tianqing process
- Privilege escalation attempts following quarantine operations
Network Indicators:
- Unusual authentication patterns to Tianqing management interface
- Lateral movement following endpoint compromise
SIEM Query:
source="tianqing" AND (event="quarantine_restore" OR event="file_write") AND path="*system32*"