[German]A short piece of information for readers who use the ZScaler client connector in their environment. Three vulnerabilities CVE-2023-41972, CVE-2023-41973, CVE-2023-41969 have been disclosed by a security researcher. Combined correctly, these can be misused to launch an interactionless local privilege escalation attack on the connection in question.
Advertising
What is the ZScaler Client Connector?
Zscaler is a global cloud-based information security company that enables secure digital transformation for mobile and cloud environments.
The Zscaler Client Connector is a lightweight agent for user endpoints that enables hybrid working by providing secure, fast and reliable access to any app over any network. It also encrypts user traffic and routes it to the Zscaler Zero Trust Exchange – the world's largest inline security cloud that acts as an intelligent control center to securely connect users directly to applications.
Vulnerabilities in the client connector
I came across the topic via the following tweet, which is described in more detail on Medium in the article Catch me if you can — Local Privilege Escalation in Zscaler Client Connector and here.
GovTech's Cybersecurity Group (CSG) recently worked with CSIT to evaluate products in the Zscaler Zero Trust Network Access suite. During the investigation, several vulnerabilities were discovered in the Zscaler Client Connector application (prior to version 4.2.1), which were ultimately provided with CVEs by Zscaler:
Advertising
- Incorrect type validation in password validation (CVE-2023-41972)
- Missing input validation in Zscaler Client Connector allows arbitrary code execution (CVE-2023-41973)
- ZSATrayManager: Arbitrary deletion of files (CVE-2023-41969)
By chaining these vulnerabilities together, security researchers Eugene Lim and Winston Ho were able to escalate the privileges of a standard user under Windows to execute arbitrary commands as a highly privileged NT AUTHORITY\SYSTEM service account under Windows. The background is that the ZScaler Client Connecto consists of two main processes: ZSATray and ZSATrayManager.
ZSATrayManager is the service that runs as the NT AUTHORITY\SYSTEM user and performs required high-privileged actions such as network management, configuration enforcement and updates. ZSATray, on the other hand, is the user-facing front-end application built on the .NET Framework. The vulnerabilities allowed the security researchers to exploit the privileges of the ZSATrayManager service in the ZSATray frontend. DLL hijacking was also used.
ZScaler closed the vulnerabilities between July 2023 and December 2023 and disclosed them in this article at the end of March 2024. Details on the vulnerabilities and the attack vector that the security researchers have worked out can be found in the article hier.
Advertising