A high-severity safety flaw has been disclosed in N-Ready’s Take Management Agent that might be exploited by a neighborhood unprivileged attacker to realize SYSTEM privileges.
Tracked as CVE-2023-27470 (CVSS rating: 8.8), the problem pertains to a Time-of-Test to Time-of-Use (TOCTOU) race situation vulnerability, which, when efficiently exploited, might be leveraged to delete arbitrary recordsdata on a Home windows system.
The safety shortcoming, which impacts variations 188.8.131.521 and prior, has been addressed in model 7.0.43 launched on March 15, 2023, following accountable disclosure by Mandiant on February 27, 2023.
Time-of-Test to Time-of-Use falls beneath a class of software program flaws whereby a program checks the state of a useful resource for a particular worth, however that worth adjustments earlier than it is truly used, successfully invalidating the outcomes of the verify.
An exploitation of such a flaw may end up in a lack of integrity and trick this system into performing actions that it should not in any other case, thereby allowing a risk actor to realize entry to unauthorized assets.
“This weak spot could be security-relevant when an attacker can affect the state of the useful resource between verify and use,” in keeping with a description within the Frequent Weak spot Enumeration (CWE) system. “This will occur with shared assets equivalent to recordsdata, reminiscence, and even variables in multithreaded applications.”
In accordance with the Google-owned risk intelligence agency, CVE-2023-27470 arises from a TOCTOU race situation within the Take Management Agent (BASupSrvcUpdater.exe) between logging a number of file deletion occasions (e.g., recordsdata named aaa.txt and bbb.txt) and every delete motion from a particular folder named “C:ProgramDataGetSupportService_N-CentralPushUpdates.”
“To place it merely, whereas BASupSrvcUpdater.exe logged the deletion of aaa.txt, an attacker might swiftly exchange the bbb.txt file with a symbolic hyperlink, redirecting the method to an arbitrary file on the system,” Mandiant safety researcher Andrew Oliveau stated.
Identification is the New Endpoint: Mastering SaaS Safety within the Fashionable Age
Dive deep into the way forward for SaaS safety with Maor Bin, CEO of Adaptive Protect. Uncover why id is the brand new endpoint. Safe your spot now.
“This motion would trigger the method to unintentionally delete recordsdata as NT AUTHORITYSYSTEM.”
Much more troublingly, this arbitrary file deletion might be weaponized to safe an elevated Command Immediate by profiting from a race situation assault concentrating on the Home windows installer’s rollback performance, probably resulting in code execution.
“Arbitrary file deletion exploits are not restricted to [denial-of-service attacks and can indeed serve as a means to achieve elevated code execution,” Oliveau said, adding such exploits can be combined with “MSI’s rollback functionality to introduce arbitrary files into the system.”
“A seemingly innocuous process of logging and deleting events within an insecure folder can enable an attacker to create pseudo-symlinks, deceiving privileged processes into running actions on unintended files.”