CVE-2023-27470: N-able Take Control Agent Vulnerability - Arbitrary File Deletion due to TOCTOU Race Condition

A critical vulnerability (CVE-2023-27470) has been identified in the N-able Take Control Agent, a popular remote monitoring and management (RMM) solution used by IT service providers worldwide. This vulnerability exists in versions up to and including 7..41.1141 and has been fixed in version 7..43. The vulnerability lies in the BASupSrvcUpdater.exe component and can lead to arbitrary file deletion, posing serious security risks to affected systems.

Exploit Details

The vulnerability is caused by a Time of Check to Time of Use (TOCTOU) race condition that occurs in a specific component of the software. When the BASupSrvcUpdater.exe program processes an update, it reads a pseudo-symlink located at %PROGRAMDATA%\GetSupportService_N-Central\PushUpdates. This pseudo-symlink is not resolved before the file is deleted, which could allow an attacker to exploit the race condition and delete arbitrary files on the target system.

Here's a code snippet demonstrating the TOCTOU race condition

//...
FILE *fp = fopen("%PROGRAMDATA%\\GetSupportService_N-Central\\PushUpdates\\symlink.lnk", "r");
if (fp != NULL) {
    // TOCTOU Race Condition: Time of check
    if (validate_symlink(fp)) {
        fclose(fp);

        // TOCTOU Race Condition: Time of use
        // The symlink target might have changed in the meantime
        remove("%PROGRAMDATA%\\GetSupportService_N-Central\\PushUpdates\\symlink.lnk");
    } else {
        fclose(fp);
    }
}
//...

This TOCTOU race condition can be exploited to delete arbitrary files on the target system by manipulating the symlink. An attacker could use this vulnerability to delete important files, which could result in various attack scenarios, including denial of service, data exfiltration, privilege escalation, and system takeover.

Original References

The vulnerability was responsibly disclosed by security researchers who provided accurate details about the exploit, including a proof of concept, to help users understand the risk.

Here are the relevant links to the original references

- N-able Security Advisory: https://n-able.com/security-advisory-cve-2023-27470
- Exploit Proof-of-Concept: https://github.com/advisories/CVE-2023-27470
- NIST Vulnerability Database Entry: https://nvd.nist.gov/vuln/detail/CVE-2023-27470

Mitigation

To mitigate this vulnerability and protect your systems, users should immediately update to the latest version of N-able Take Control Agent, which is 7..43 or later. The updated version includes a fix for the CVE-2023-27470 vulnerability and ensures that the TOCTOU race condition is no longer present.

Conclusion

CVE-2023-27470 is a critical vulnerability affecting the N-able Take Control Agent up to version 7..41.1141. The vulnerability lies in the BASupSrvcUpdater.exe component and allows attackers to exploit the TOCTOU race condition to delete arbitrary files on a target system. Users are urged to update their systems to version 7..43 or later to mitigate this risk and ensure their systems are protected against potential attacks.

Timeline

Published on: 09/11/2023 15:15:52 UTC
Last modified on: 09/13/2023 17:04:11 UTC