Skip to content

Local Privilege Escalation in Cloudflare WARP Installer (Windows)

High
ncabetecf published GHSA-xmhj-9p83-xvw9 Apr 6, 2023

Package

WARP Installer (Windows)

Affected versions

<= 2022.5.309.0

Patched versions

2023.3.381.0

Description

Impact

Due to a hardlink created in the ProgramData folder during the repair process of the software, the installer (MSI) of WARP Client for Windows (<= 2022.12.582.0) allowed a malicious attacker to forge the destination of the hardlink and escalate privileges, overwriting SYSTEM protected files.

As Cloudflare WARP client for Windows (up to version 2022.5.309.0) allowed creation of mount points from its ProgramData folder, during installation of the WARP client, it was possible to escalate privileges and overwrite SYSTEM protected files.

Patches

A new installer with a fix that addresses this vulnerability was released in version 2023.3.381.0. While the WARP Client itself is not vulnerable (only the installer), users are encouraged to upgrade to the latest version and delete any older installers present in their systems.

References

Cloudflare WARP Client for Windows releases
Cloudflare WARP Client documentation

Severity

High
7.0
/ 10

CVSS base metrics

Attack vector
Local
Attack complexity
High
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE ID

CVE-2023-0652

Weaknesses

Credits