CVE-2024-7326 – This vulnerability in IObit DualSafe Password M... (How to Fix)

Q: What is the severity of CVE-2024-7326?

CVE-2024-7326 has a CVSS score of 7.8 (HIGH). This vulnerability in IObit DualSafe Password Manager 1.4.0.3 allows DLL side-loading attacks via the RTL120.BPL library. Attackers can execute arbitrary code by placing malicious DLLs in specific directories, potentially compromising stored passwords. Users of this specific password manager version are affected.

📋 TL;DR

This vulnerability in IObit DualSafe Password Manager 1.4.0.3 allows DLL side-loading attacks via the RTL120.BPL library. Attackers can execute arbitrary code by placing malicious DLLs in specific directories, potentially compromising stored passwords. Users of this specific password manager version are affected.

💻 Affected Systems

Products:

IObit DualSafe Password Manager

Versions: 1.4.0.3

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Requires Windows OS where the vulnerable BPL library is used. The attack requires ability to place files in directories searched by the application.

📦 What is this software?

Dualsafe Password Manager by Itopvpn

View all CVEs affecting Dualsafe Password Manager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of all stored passwords, credential theft, and full system takeover via arbitrary code execution with user privileges.

🟠

Likely Case

Local privilege escalation leading to password database theft and potential lateral movement within the network.

🟢

If Mitigated

Limited impact if proper application whitelisting and DLL search path restrictions are enforced.

🌐 Internet-Facing: LOW - This is primarily a local attack vector requiring local access or social engineering to place malicious files.

🏢 Internal Only: HIGH - Attackers with local access (including malware or malicious insiders) can exploit this to steal credentials and move laterally.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires local access to place malicious DLLs. Public technical details and proof-of-concept information are available in the referenced blog post.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None - vendor did not respond to disclosure

Restart Required: No

Instructions:

No official patch available. Consider uninstalling the vulnerable software and migrating to alternative password managers.

🔧 Temporary Workarounds

Restrict DLL Search Path

windows

Use Windows policies to restrict DLL search paths and prevent loading from untrusted directories

Configure via Group Policy: Computer Configuration > Windows Settings > Security Settings > Application Control Policies > DLL Rules

Application Whitelisting

windows

Implement application whitelisting to prevent unauthorized DLL loading

Use Windows AppLocker or similar solutions to restrict DLL execution

🧯 If You Can't Patch

Uninstall IObit DualSafe Password Manager 1.4.0.3 and use alternative password management solutions
Implement strict file system permissions to prevent users from writing to application directories

🔍 How to Verify

Check if Vulnerable:

Check installed software for IObit DualSafe Password Manager version 1.4.0.3 via Control Panel > Programs and Features

Check Version:

wmic product where name="IObit DualSafe Password Manager" get version

Verify Fix Applied:

Verify the software is no longer installed or has been updated to a non-vulnerable version

📡 Detection & Monitoring

Log Indicators:

Windows Event Logs showing DLL loading from unusual paths
Process creation events for suspicious DLLs in application directories

Network Indicators:

Unusual outbound connections from password manager process after exploitation

SIEM Query:

Process creation where (ImagePath contains "*.dll" OR ImagePath contains "*.bpl") AND (CommandLine contains unusual paths OR ParentImage contains "dualsafe")

📊 Metadata

CVE ID: CVE-2024-7326

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-427

Published: July 31, 2024

Last Updated: August 15, 2024

🔗 References

https://lab52.io/blog/dll-side-loading-through-iobit-against-colombia/ Exploit,Third Party Advisory
https://vuldb.com/?ctiid.273249 Permissions Required,Third Party Advisory
https://vuldb.com/?id.273249 Permissions Required,Third Party Advisory
https://vuldb.com/?submit.378150 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-7326, you might also want to check these: