Headline
CVE-2021-41526: CVE-2021-41526: Privilege escalation vulnerability during MSI repair – for the MSI built with InstallScript custom action
A vulnerability has been reported in the windows installer (MSI) built with InstallScript custom action. This vulnerability may allow privilege escalation when invoked ‘repair’ of the MSI which has an InstallScript custom action.
Summary:
A vulnerability has been reported in the windows installer (MSI) built with InstallScript custom action. This vulnerability may allow privilege escalation when invoked ‘repair’ of the MSI which has an InstallScript custom action.
Description:
During MSI repair, InstallScript custom actions, if configured in the project, will be executed by extracting the InstallScript engine files to a unique folder in the user’s TEMP directory and then executed.
InstallScript engine files contain an executable named ISBEW64.EXE, which will be executed during the InstallScript code execution. So, during MSI repair, a low privilege user can invoke the operation and attain privilege escalation to “NT Authority/SYSTEM” by replacing ISBEW64.EXE in the TEMP folder with a malicious one.
Microsoft released a patch for the Windows Installer elevation of Privilege (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1661), earlier this year. It is advised to apply this patch.
Resolution:
Privilege escalation during InstallScript custom action execution during MSI repair, has been fixed in InstallShield 2021 R2 release. You can download the release from your Product and License Center (PLC). Note: You must have a community login with PLC access to download this fix.
A hotfix is available for InstallShield 2020 R3 SP1 and InstallShield 2019 R3. You can download the hotfix here: InstallShield MSI Repair-Privilege Escalation Hotfix
Workaround:
1. Disable the repair option while building the MSI package.
2. Remove InstallScript custom actions or move to other type of custom actions.
Additional Information:
Thank you to Ronnie Salomonsen (Mandiant) for helping identify this vulnerability and disclosing it to Revenera under a responsible disclosure process.
Related news
Dell EMC Unisphere for PowerMax versions before 9.1.0.27, Dell EMC Unisphere for PowerMax Virtual Appliance versions before 9.1.0.27, and PowerMax OS Release 5978 contain an improper certificate validation vulnerability. An unauthenticated remote attacker may potentially exploit this vulnerability to carry out a man-in-the-middle attack by supplying a crafted certificate and intercepting the victim's traffic to view or modify a victim’s data in transit.
FastTrack Admin By Request 6.1.0.0 supports group policies that are supposed to allow only a select range of users to elevate to Administrator privilege at will. If a user does not have direct access to the elevation feature through group policies, they are prompted to enter a PIN code in a challenge-response manner upon attempting to elevate privileges. The challenge's response uses a simple algorithm that can be easily emulated via data (customer ID and device name) available to all users, and thus any user can elevate to Administrator privilege.