Microsoft Windows Installer contains a local privilege escalation vulnerability prior to March 2022 security update.
High - Exploiting the vulnerability will give a local unprivileged attacker SYSTEM level privileges.
Medium - Any authenticated local user can exploit the vulnerability and an exploit is trivial to produce.
CVE-2022-23296
Base Score: 7.8 - Vector: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
The Windows Installer framework does not correctly set the Privileged property from LaunchConditions during Repair mode which result in an unprivileged user can trigger a repair operation, either by using the Windows Installer API or by running "msiexec.exe /fa c:\windows\installer\[XXXXX].msi".
Running a repair operation will trigger a number of file operations in the %TEMP% folder of the user triggering the repair. Some of these operations will be performed from a SYSTEM context (started via the Windows Installer service), including the execution of temporary files.
This issue was fixed as part of March 2022 security update.
- Ronnie Salomonsen, Mandiant
- 15-Oct-2021 - Issue reported to Microsoft
- 15-Dec-2021 - Issue confirmed by Microsoft and a fix scheduled for March 8, 2022.
- 08-Mar-2022 - Issue fixed and security advisory released