Summary
Unauthenticated users can modify NVDAs system profile for input gestures and speech dictionaries. This affects all users first (sign-on) interaction with the system. This action is intended to be limited to signed in users with administrator privileges.
If unexpected gestures or speech is being replaced, a user may experience a denial of service. For example, being unable to sign-in to Windows.
Pull request(s)
#13489
Limitations
Input gestures to open one of the affected dialogs need to be created and copied to the system configuration. This requires administrator privileges.
Technical details
Proof of concept
- Alice adds an input gesture to open the dictionary dialog, and the input gestures dialog, and copies her config to secure mode.
- Mallory uses NVDA from the sign-in screen to open the dictionary dialog and replaces all text with “cat” then the input gesture dialog and remaps gestures for commands (including the dictionary dialog).
- Alice goes to sign-in to Windows. Alice can no longer sign-in to Windows as NVDA is inaccessible.
Indicators of compromise
The system profile speech dictionaries can be found in the NVDA install directory:
C:\Program Files (x86)\NVDA\systemConfig\speechDicts
The system profile input gestures can be found in the NVDA install directory:
C:\Program Files (x86)\NVDA\systemConfig\gestures.ini
When copying configuration to secure screens, these will be updated.
These files can be inspected with Notepad to check for unexpected changes.
Workarounds
To prevent unauthenticated users from adjusting these settings on older NVDA versions:
- run NVDA while logged in, and not in secure mode
- unbind the input gesture for the input gestures dialog, and the speech and voice dictionary dialogs.
- Note: The temporary dictionary dialog may still be accessible via the menu, however these settings are temporary
- copy your configuration for use on secure screens
- consider limiting administrator privileges of other users of the device, so that they cannot overwrite this by copying their configuration to secure screens
Timeline
This was reported in early March, after the 2021.3.3 release.
A patch was created to be added to a 2021.3.4 patch release in March.
For more information
If you have any questions or comments about this advisory:
CyrilleB79 Analyst
Summary
Unauthenticated users can modify NVDAs system profile for input gestures and speech dictionaries. This affects all users first (sign-on) interaction with the system. This action is intended to be limited to signed in users with administrator privileges.
If unexpected gestures or speech is being replaced, a user may experience a denial of service. For example, being unable to sign-in to Windows.
Pull request(s)
#13489
Limitations
Input gestures to open one of the affected dialogs need to be created and copied to the system configuration. This requires administrator privileges.
Technical details
Proof of concept
Indicators of compromise
The system profile speech dictionaries can be found in the NVDA install directory:
C:\Program Files (x86)\NVDA\systemConfig\speechDictsThe system profile input gestures can be found in the NVDA install directory:
C:\Program Files (x86)\NVDA\systemConfig\gestures.iniWhen copying configuration to secure screens, these will be updated.
These files can be inspected with Notepad to check for unexpected changes.
Workarounds
To prevent unauthenticated users from adjusting these settings on older NVDA versions:
Timeline
This was reported in early March, after the 2021.3.3 release.
A patch was created to be added to a 2021.3.4 patch release in March.
For more information
If you have any questions or comments about this advisory: