Popular remote lesson monitoring program could be exploited to attack student PCs

The vulnerabilities allowed attackers full and unfettered access to student PCs.
Written by Charlie Osborne, Contributing Writer

Researchers have uncovered a slew of critical vulnerabilities in remote monitoring software -- an incident made worse as it could impact student safety and privacy. 

On Monday, McAfee disclosed the existence of multiple security holes in Netop Vision Pro, popular monitoring software adopted by schools for teachers to control remote learning sessions. 

The software is marketed for teachers to keep control of lessons. Features include viewing student screens and sharing the teachers', implementing web filters, pushing URLs, chat functions, and freezing student screens. 

"Adding technology to the classroom allows you to give your students a multitude of new resources, but it can also add more distractions," the vendor says. "Classroom management software helps you scaffold your students' learning while still keeping them on track. In the classroom or during remote learning, Vision's simple features allow you to manage and monitor your students in real-time."

According to McAfee's Advanced Threat Research (ATR) team, Netop Vision Pro contained vulnerabilities that "could be exploited by a hacker to gain full control over students' computers." 

After setting up a virtual 'classroom' made up of four devices on a local network, the researchers realized that all network traffic was unencrypted and there was no option to enable encryption during configuration. 

In addition, students that began connecting to the classroom "would unknowingly begin sending screenshots to the teacher," according to the report. 

"Since there is no encryption, these images were sent in the clear," McAfee says. "Anyone on the local network could eavesdrop on these images and view the contents of the students' screens remotely."

As a teacher begins a session, they send a network packet prompting students to join. It was possible to modify this data and for the team to masquerade as the teacher host. Attackers could also perform local elevation of privilege (LPE) attacks and ultimately gain System privileges.

Chat function in the software saved files sent by a teacher into a 'work' directory while running as System, it was possible for an interloper to overwrite existing files and send malicious content to students without any input from them -- such as malware that would ultimately compromise their PCs. 

"Netop Vision Pro student profiles also broadcast their presence on the network every few seconds, allowing an attacker to scale their attacks to an entire school system," McAfee noted. "Because it is always running, even when not in use, this software assumes every network the device connects to could have a teacher on it and begins broadcasting."

Overall, four critical vulnerabilities in the software were assigned CVEs and are tracked as CVE-2021-27192, CVE-2021-27193, CVE-2021-27194, and CVE-2021-27195: an incorrect privilege assignment problem, a default permissions error, the cleartext transmission of sensitive information, and authorization issues.

Overall, the security flaws allowed for privilege escalation and Remote Code Execution (RCE) attacks within a compromised network. 

"If a hacker is able to gain full control over all target systems using the vulnerable software, they can equally bridge the gap from a virtual attack to the physical environment," the researchers added. "The hacker could enable webcams and microphones on the target system, allowing them to physically observe your child and their surrounding environment."

The insecure design principles and security flaws found in Netop's software were privately disclosed to the vendor on December 11. The latest software release, 9.7.2, has addressed some of the issues, such as LPE bugs and the encryption of credentials. Mitigations have also been added to chat-based read/write issues. 

Netop intends to roll out network encryption in the near future. 

Last week, the FBI warned of increasing rates of attack against US and UK schools and universities. Law enforcement agencies have tracked a spike in attack attempts leveraging PYSA ransomware, used to exfiltrate data before encryption in order to extort payment. 

ZDNet has reached out to Netop and we will update when we hear back. 

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards