CVE-2022-31215: 
Goverlan Reach Client vulnerability analysis and mitigation

In certain Goverlan (now EasyVista) products, the Windows Firewall is temporarily turned off upon a Goverlan agent update operation in Goverlan Management Console v10.5.0, Goverlan Server v3.70.0 and earlier versions. This vulnerability, identified as CVE-2022-31215, allows remote attackers to bypass firewall blocking rules for a time period of up to 30 seconds (Goverlan Advisory, NVD).

The vulnerability is classified as CWE-1038 (Insecure Automated Optimizations). When the Goverlan agent performs an update operation, it temporarily disables the Windows Firewall. This behavior can be detected by monitoring Windows Event ID 2003, which records when the Windows Firewall has been enabled or disabled. If this event is present without a corresponding Goverlan Audit Event (Event ID 6549) and the Modifying Application is GovAgent64.exe, it indicates the presence of this vulnerability (Goverlan Advisory).

The primary impact of this vulnerability is that affected systems temporarily lose Windows Firewall protection for up to 30 seconds during agent updates. During this window, remote attackers could potentially bypass firewall blocking rules, potentially exposing the system to unauthorized access (Goverlan Advisory).

The vulnerability has been patched in newer versions of the software. Users should update to Goverlan Management Console v10.5.1 or later, Goverlan Server v3.70.1 or later, and Goverlan Client Agent v10.1.11 or later to remediate this issue (Goverlan Advisory).