🟢 CVE-2022-23748

CVE-2022-23748 is a security vulnerability in the `mDNSResponder.exe` component of Audinate’s Dante Application Library for Windows (versions 1.2.0 and earlier).

Vulnerability Overview

• Type: DLL Sideloading (Binary Planting) ^[2].
• Mechanism: The `mDNSResponder.exe` executable improperly specifies the directory from which it loads dependent DLLs. It searches for these DLLs in the same directory where the executable is launched or in the application's working directory ^[1].
• Impact: If an attacker can place a malicious, specially crafted DLL in the directory where the executable resides or is executed from, the application will load and execute the malicious code with the same privileges as the `mDNSResponder.exe` process ^[1].

Exploitation and Threat Actor Usage

• Active Exploitation: The vulnerability has been documented as being exploited in the wild?field_cve=CVE-2022-23748.
• Threat Actor Usage: It has been utilized in targeted attacks, most notably as part of a campaign dubbed "Stayin’ Alive." This campaign has been observed targeting government organizations and telecommunications service providers in Asia since at least 2021. In these attacks, the vulnerability was used to facilitate the execution of malicious loaders and backdoors (such as "CurKeep").
• Attack Requirements: Successful exploitation typically requires a local attacker or an initial access vector (such as a phishing email) to place the malicious DLL file into the target directory on the victim's system.

Status and Mitigation

• Affected Versions: Audinate Dante Application Library for Windows v1.2.0 and earlier.
• Patch Status: Users are advised to update to a patched version of the software provided by the vendor. Audinate has released guidance and updates to address this issue.
• Mitigation: Beyond patching, organizations can monitor for anomalous DLL loading behavior on Windows endpoints to detect potential exploitation attempts.