CVE-2024-6974 Windows SDP Client: Local Privilege Escalation via self-upgrade

Description

The self-upgrade mechanism in the Windows SDP client saves a client installation file in C:\Windows\Temp.

This folder is writeable by all users, even low-privileged ones.

When the installer runs by the Cato VPN service, it looks for a file in its path with the name 'msiexec.exe.'

A low-privileged attacker on the local machine can exploit this to gain NT AUTHORITY\SYSTEM permissions, by creating a malicious file with this name in the installer directory.

Severity

The CVSSv3.1 score is 8.8 (High).

What Changes Do I Need to Make? 

Use the SDP User Dashboard to identify users with Windows Client versions below 5.10.34. Make sure they upgrade to the newest Windows Client version and receive the most recent security patches and enhancements.

Acknowledgments

Cato Networks thanks AmberWolf for detecting and identifying the issue. Full technical details can be found in their blog post:

https://blog.amberwolf.com/blog/2024/july/cve-2024-6974-cato-client-local-privilege-escalation-via-self-upgrade/

What is the Impact on the Account? 

If you don’t upgrade to Windows Client v5.10.34 or higher, devices with lower versions will be vulnerable. To the best of our knowledge, none of these issues has been exploited in the wild.

Who Do I Talk to If I Have Questions? 

Please contact Support.

Was this article helpful?

0 out of 0 found this helpful

0 comments

Add your comment