MNDT-2021-0011
Flexera Revenera InstallShield for Windows prior to version 2021 R2 contains a privilege escalation vulnerability during MSI repair for the MSI built with InstallScript custom action.
Impact
High - Exploiting the vulnerability will give a local unprivileged attacker SYSTEM level privileges.
Exploitability
Medium - Any authenticated local user can exploit the vulnerability and an exploit is trivial to produce.
CVE Reference
CVE-2021-41526
Technical Details
During MSI repair, InstallScript custom actions, if configured in the project, will be executed by extracting the InstallScript engine files to a unique folder in the user’s TEMP directory and then executed.
InstallScript engine files contain an executable named ISBEW64.EXE, which will be executed during the InstallScript code execution. As a result, during MSI repair, a low privilege user can invoke the operation and attain privilege escalation to “NT Authority/SYSTEM” by replacing ISBEW64.EXE in the TEMP folder with a malicious one.
Resolution
The issue was fixed in version 2021 R2. Update to this version to address the vulnerability.
Discovery Credits
- Ronnie Salomonsen, Mandiant
Disclosure Timeline
- 18-Nov-2021 - Issue reported to Flexera Revenera
- 24-Nov-2021 - Issue confirmed by Flexera Revenera and a fix scheduled for December 17
- 17-Dec-2021 - Patched version released by Flexera Revenera