Skip to content

RSA NetWitness Platform EDR Agent / Incorrect Access Control - Code Execution

License

Notifications You must be signed in to change notification settings

hyp3rlinx/CVE-2022-47529

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
 
 
 
 
 
 

Repository files navigation

CVE-2022-47529

RSA NetWitness Platform EDR Agent / Incorrect Access Control - Code Execution

During a security audit of the EDR agent I discovered a novel vector to tamper with the service with only standard user rights by targeting an insecure Win32 memory event object. Hijacking the service config can also be done if running the exploit as admin.

CVE-2022-47529 allows local users to stop the Endpoint Windows agent from sending the events to SIEM or make the agent run user-supplied commands.

Insecure Win32 memory objects in Endpoint Windows Agents in the NetWitness Platform through 12.x allow local and admin Windows user accounts to modify the endpoint agent service configuration: to either disable it completely or run user-supplied code or commands, thereby bypassing tamper-protection features via ACL modification.

Interestingly, the agent was uploaded to virustotal on 2022-01-05 17:24:32 UTC months before finding and report.

SHA-256 770005f9b2333bf713ec533ef1efd2b65083a5cfb9f8cbb805ccb2eba423cc3d LANDeskService.exe

[Network Access] Local

[References] https://community.netwitness.com/t5/netwitness-platform-security/nw-2023-04-netwitness-platform-security-advisory-cve-2022-47529/ta-p/696935

About

RSA NetWitness Platform EDR Agent / Incorrect Access Control - Code Execution

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages