Skip to content

Latest commit

 

History

History
32 lines (23 loc) · 1.56 KB

MNDT-2021-0008.md

File metadata and controls

32 lines (23 loc) · 1.56 KB

MNDT-2021-0008

BeyondTrust Privilege Management for Windows contains a local privilege escalation vulnerability prior to version 21.6

Impact

High - Exploiting the vulnerability will give a local unprivileged attacker SYSTEM level privileges.

Exploitability

Medium - Any authenticated local user can exploit the vulnerability and an exploit is trivial to produce.

CVE Reference

CVE-2021-42254

Technical Details

The installation of the agent uses the Windows Installer framework and an MSI file is cached in c:\windows\installer. An unprivileged user can trigger a repair operation, either by using the Windows Installer API or by running "msiexec.exe /fa c:\windows\installer\[XXXXX].msi".

Running a repair operation will trigger a number of file operations in the %TEMP% folder of the user triggering the repair. Some of these operations will be performed from a SYSTEM context (started via the Windows Installer service), including the execution of temporary files.

Resolution

The issue was fixed in version 21.6; update to this version to address the vulnerability.

Discovery Credits

  • Ronnie Salomonsen, Mandiant

Disclosure Timeline

  • 11-Oct-2021 - Issue reported to BeyondTrust
  • 15-Oct-2021 - Issue confirmed by BeyondTrust and a fix scheduled for November 4.
  • 4-Nov-2021 - Patched version released by BeyondTrust

References