Summary
Unauthenticated users can modify NVDAs system profile for symbol pronunciation. This affects all users first (sign-on) interaction with the system. This action is intended to be limited to signed in users with administrator privileges.
If unexpected symbols are being replaced, a user may experience a denial of service. For example, being unable to sign-in to Windows.
Pull request(s)
f234dd8
Limitations
Input gestures to open the affected dialog need to be created and copied to the system configuration. This requires administrator privileges.
Technical details
Proof of concept
- Assign a gesture to "Shows the NVDA symbol pronunciation dialog".
- Copy the config to secure screens via General Preferences
- Restart the device
- On the sign-in screen:
- Execute the gesture which shows the dialog.
- Change a symbol pronunciation, e.g. change one of the symbols to say test.
- Restart NVDA and confirm this is still changed
Indicators of compromise
The system profile symbols dictionaries can be found in the NVDA install directory:
C:\Program Files (x86)\NVDA\systemConfig\symbols-*.dic
When copying configuration to secure screens, these will be updated.
These files can be inspected with Notepad to check for unexpected changes.
Workarounds
To prevent unauthenticated users from adjusting these settings on older NVDA versions:
- run NVDA while logged in, and not in secure mode
- unbind the input gesture for opening the symbol pronunciation dialog
- copy your configuration for use on secure screens
- consider limiting administrator privileges of other users of the device, so that they cannot overwrite this by copying their configuration to secure screens
Timeline
This was reported in mid March, after the 2021.3.4 release.
A patch was created to be added to a 2021.3.5 patch release in XXX.
For more information
If you have any questions or comments about this advisory:
tspivey Analyst
Summary
Unauthenticated users can modify NVDAs system profile for symbol pronunciation. This affects all users first (sign-on) interaction with the system. This action is intended to be limited to signed in users with administrator privileges.
If unexpected symbols are being replaced, a user may experience a denial of service. For example, being unable to sign-in to Windows.
Pull request(s)
f234dd8
Limitations
Input gestures to open the affected dialog need to be created and copied to the system configuration. This requires administrator privileges.
Technical details
Proof of concept
Indicators of compromise
The system profile symbols dictionaries can be found in the NVDA install directory:
C:\Program Files (x86)\NVDA\systemConfig\symbols-*.dic
When copying configuration to secure screens, these will be updated.
These files can be inspected with Notepad to check for unexpected changes.
Workarounds
To prevent unauthenticated users from adjusting these settings on older NVDA versions:
Timeline
This was reported in mid March, after the 2021.3.4 release.
A patch was created to be added to a 2021.3.5 patch release in XXX.
For more information
If you have any questions or comments about this advisory: