Headline
CVE-2021-42255: Vulnerability-Disclosures/MNDT-2022-0022.md at master · mandiant/Vulnerability-Disclosures
AppGuard Enterprise before 6.7.100.1 creates a Temporary File in a Directory with Insecure Permissions. Local users can gain SYSTEM privileges because a repair operation relies on the %TEMP% directory of an unprivileged user.
MNDT-2022-0022****Description
AppGuard Agent for Windows contains a local privilege escalation vulnerability prior to version 6.7.100.1.
Impact
High - Exploiting the vulnerability will give a local unprivileged attacker SYSTEM level privileges.
Exploitability
Medium - Any authenticated local user can exploit the vulnerability and an exploit is trivial to produce.
CVE Reference
CVE-2021-42255
Common Weakness Enumeration
CWE-379: Creation of Temporary File in Directory with Insecure Permissions
Common Vulnerability Scoring System
Base Score: 7.8 - Vector: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Technical Details
The installation of the agent uses the Windows Installer framework and an MSI file is cached in c:\windows\installer. An unprivileged user can trigger a repair operation, either by using the Windows Installer API or by running "msiexec.exe /fa c:\windows\installer\[XXXXX].msi".
Running a repair operation will trigger a number of file operations in the %TEMP% folder of the user triggering the repair. Some of these operations will be performed from a SYSTEM context (started via the Windows Installer service), including the execution of temporary files.
Resolution
The issue was fixed in version 6.7.100.1. Update to this version to address the vulnerability.
Discovery Credits
- Ronnie Salomonsen, Mandiant
Disclosure Timeline
- 13-Oct-2021 - Issue reported to AppGuard.
- 08-Nov-2021 - Issue confirmed by AppGuard and a fix scheduled for March 1, 2022
- 01-Mar-2022 - Issue fixed
References
- Mitre CVE-2021-42255