Erik Avakian, technical counselor at Info-Tech Research Group, explained why this is an issue. “There’s a critical flaw in the management server in how one of its background services handles certain types of network messages that allows an attacker on the network to run their own code without logging in. That service will accept a message from anyone on the network and then can blindly load a Windows DLL using a standard Windows function. The problem is that the software doesn’t properly validate where that DLL is coming from.”
When this happens, he said, the affected software will run the attacker’s code, probably at the highest level of privilege. So, in these circumstances, the attacker can point Apex Central to a DLL that they control, for example, on a remote network. That could then move deeper into the corporate software environment. “In short, if this server is exposed and unpatched, it can be taken over remotely,” said Avakian.
What makes the attack particularly insidious, he said, is that attackers don’t need to log into the server or copy files onto it. “They simply can host a malicious DLL somewhere they control and instruct Apex Central to load it. Because of the flaw, Apex Central reaches out and loads the DLL itself, effectively pulling in and executing the attacker’s code without checking who asked.”