The McAfee Labs Advanced Threat Research team announced March 21 that it has discovered “critical issues” on Netop Vision Pro, a popular classroom management software solution.
The newly reported vulnerabilities allow for elevation of privileges and ultimately remote code execution, which McAfee said “could be used by a malicious attacker, within the same network, to gain full control over students’ computers.”
McAfee said that the COVID-19 pandemic increased the risk of cyberattacks for the Netop software. Under normal circumstances, Netop Vision Pro functions as a student monitoring system for teachers to facilitate student learning while using school computers. The software allows teachers to remotely perform tasks on the students’ computers, such as locking their computers, blocking web access, remotely controlling their desktops, running applications, and sharing documents.
The software is designed to manage a classroom or a computer lab in a K-12 environment and is not targeted for eLearning or personal devices. Meaning, McAfee said, that the Netop Vision Pro Software should never be accessible from the internet in the standard configuration. However, during the COVID-19 pandemic, which saw a rise in distance and hybrid learning, computers are being loaned to students. This has resulted in schooling software being connected to many different networks and thus increasing the attack surface.
In a blog post, the research team said it disclosed the vulnerabilities to Netop on Dec. 11, 2020.
McAfee’s disclosure includes recommendations for implementing encryption of all network traffic, adding authentication, and verification of teachers to students, and more precise packet parsing filters. Netop was able to update its software and patch “many of the critical vulnerabilities” in February 2021, the firm said. Specifically, McAfee said Netop has fixed the local privilege escalations, encrypted formerly plaintext Windows credentials, and mitigated the arbitrary read/writes on the remote filesystem within its messaging portal.
However, the research team noted that network traffic is still unencrypted, including screenshots of the student computers. However, Netop assured McAfee that it is working on implementing encryption on all network traffic for a future update.