Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

MNDT-2021-0011

Flexera Revenera InstallShield for Windows prior to version 2021 R2 contains a privilege escalation vulnerability during MSI repair for the MSI built with InstallScript custom action.

Impact

High - Exploiting the vulnerability will give a local unprivileged attacker SYSTEM level privileges.

Exploitability

Medium - Any authenticated local user can exploit the vulnerability and an exploit is trivial to produce.

CVE Reference

CVE-2021-41526

Technical Details

During MSI repair, InstallScript custom actions, if configured in the project, will be executed by extracting the InstallScript engine files to a unique folder in the user’s TEMP directory and then executed.

InstallScript engine files contain an executable named ISBEW64.EXE, which will be executed during the InstallScript code execution. As a result, during MSI repair, a low privilege user can invoke the operation and attain privilege escalation to “NT Authority/SYSTEM” by replacing ISBEW64.EXE in the TEMP folder with a malicious one.

Resolution

The issue was fixed in version 2021 R2. Update to this version to address the vulnerability.

Discovery Credits

  • Ronnie Salomonsen, Mandiant

Disclosure Timeline

  • 18-Nov-2021 - Issue reported to Flexera Revenera
  • 24-Nov-2021 - Issue confirmed by Flexera Revenera and a fix scheduled for December 17
  • 17-Dec-2021 - Patched version released by Flexera Revenera

References