A high-severity safety flaw has been disclosed in N-Ready’s Take Management Agent that may very well be exploited by a neighborhood unprivileged attacker to achieve SYSTEM privileges.
Tracked as CVE-2023-27470 (CVSS rating: 8.8), the problem pertains to a Time-of-Verify to Time-of-Use (TOCTOU) race situation vulnerability, which, when efficiently exploited, may very well be leveraged to delete arbitrary information on a Home windows system.
The safety shortcoming, which impacts variations 126.96.36.1991 and prior, has been addressed in model 7.0.43 launched on March 15, 2023, following accountable disclosure by Mandiant on February 27, 2023.
Time-of-Verify to Time-of-Use falls below a class of software program flaws whereby a program checks the state of a useful resource for a selected worth, however that worth modifications earlier than it is really used, successfully invalidating the outcomes of the examine.
An exploitation of such a flaw may end up in a lack of integrity and trick this system into performing actions that it should not in any other case, allowing a risk actor to achieve entry to in any other case unauthorized sources.
“This weak point will be security-relevant when an attacker can affect the state of the useful resource between examine and use,” in response to a description of the Frequent Weak point Enumeration (CWE) system. “This may occur with shared sources equivalent to information, reminiscence, and even variables in multithreaded applications.”
In accordance with the Google-owned risk intelligence agency, CVE-2023-27470 arises from a TOCTOU race situation within the Take Management Agent (BASupSrvcUpdater.exe) between logging a number of file deletion occasions (e.g., information named aaa.txt and bbb.txt) and every delete motion from a selected folder named “C:ProgramDataGetSupportService_N-CentralPushUpdates.”
“To place it merely, whereas BASupSrvcUpdater.exe logged the deletion of aaa.txt, an attacker might swiftly exchange the bbb.txt file with a symbolic hyperlink, redirecting the method to an arbitrary file on the system,” Mandiant safety researcher Andrew Oliveau mentioned.
Identification is the New Endpoint: Mastering SaaS Safety within the Trendy Age
Dive deep into the way forward for SaaS safety with Maor Bin, CEO of Adaptive Protect. Uncover why identification is the brand new endpoint. Safe your spot now.
“This motion would trigger the method to unintentionally delete information as NT AUTHORITYSYSTEM.”
Much more troublingly, this arbitrary file deletion may very well be weaponized to safe an elevated Command Immediate by making the most of a race situation assault focusing on the Home windows installer’s rollback performance, doubtlessly resulting in code execution.
“Arbitrary file deletion exploits are now not restricted to [denial-of-service attacks and can indeed serve as a means to achieve elevated code execution,” Oliveau said, adding such exploits can be combined with “MSI’s rollback functionality to introduce arbitrary files into the system.”
“A seemingly innocuous process of logging and deleting events within an insecure folder can enable an attacker to create pseudo-symlinks, deceiving privileged processes into running actions on unintended files.”