Amidst the new-normal of online education, researchers have highlighted how trivial cybersecurity lapses can cause serious damages. As they observed, numerous security bugs existed in the popular remote learning platform Netop Vision Pro. Exploiting these vulnerabilities could severely threaten students’ security.
Netop Vision Pro Bugs
Reportedly, the McAfee Labs Advanced Threat Research team has caught numerous vulnerabilities in the teaching software Netop Vision Pro.
It’s a remote monitoring system for teachers allowing them to access students’ computers. In this way, teachers can better manage the learning activities by assigning tasks, sharing documents, and more as they remotely control student’s computers.
The software isn’t specifically a remote access tool for computers. Rather it’s more of a classroom management software for K-12 institutions. Perhaps, that’s why it developed issues when teachers and students started using it the other way.
Briefly, the researchers found 4 different security bugs in Netop Vision Pro, CVE-2021-27192, CVE-2021-27193, CVE-2021-27194, and CVE-2021-27195. They found these bugs as they downloaded and analyzed the free trial version of the software.
Here is a quick description of their observations.
- CVE-2021-27194 – unencrypted network traffic bearing all information (including sensitive details, like screenshots and passwords, in plaintext). A snooper on the local network could easily spy on this data.
- CVE-2021-27195 – an adversary could pose as a teacher by modifying the data packet sent from the teachers’ client to the students for connection. The adversary could then achieve remote code execution on the students’ systems.
- CVE-2021-27192 – incorrect privilege assignment giving system privileges to the adversary.
- CVE-2021-27193 – an attacker emulating a teacher could read, write, or even delete files on the students’ computers by exploiting the MChat client.
Technical details of these bugs are available in McAfee’s post. Also, the ATR team has discussed these bugs and their possible impact in detail in this video.
McAfee’s ATR found these vulnerabilities last year that they also disclosed to Netop in December 2020.
Consequently, in February 2021, Netop fixed three of the four bugs with the release of Netop Vision Pro 9.7.2. However, a fix for the first vulnerability, unencrypted network traffic, isn’t available yet.
McAfee state that Netop has assured them to patch this issue as well in future updates.