A Critical Vulnerability (CVE-2023-28142) has been discovered in the Qualys Cloud Agent for Windows platform, affecting versions from 3.1.3.34 and before 4.5.3.1. This exploit takes advantage of a race condition vulnerability during the uninstallation process of Qualys Cloud Agent for Windows, allowing attackers to escalate their privileges on the local machine. Successful exploitation of this vulnerability could result in attackers gaining SYSTEM level privileges, enabling them to execute arbitrary commands on the affected machine.

It is important to note that versions before 4. of the Qualys Cloud Agent for Windows have reached their End of Life and are no longer supported or patched.

Vulnerability Details

A race condition occurs when multiple processes attempt to access shared resources simultaneously, without adequate synchronization mechanisms in place. In this case, the race condition vulnerability is present during the uninstallation of the Qualys Cloud Agent for Windows.

Attackers may attempt to exploit this vulnerability by monitoring the uninstallation process and quickly executing malicious code during the brief window of time when system resources are being accessed by the uninstaller.

Exploitation

To exploit this vulnerability, attackers must first have limited privileges on the local machine. They can then use the following code snippet, or a similar payload, to monitor the uninstallation process and execute arbitrary commands during the vulnerable window of time:

import os
import time
import subprocess

# Monitor uninstallation process
while True:
    try:
        uninstall_process = subprocess.Popen(["tasklist", "/FI", "imagename eq uninstall.exe"])
        uninstall_process.wait()
        # Execute arbitrary command with SYSTEM level privileges
        os.system("arbitrary-command")
        break
    except FileNotFoundError:
        time.sleep(1)        
    

Please note that this code snippet is for illustrative purposes only and should not be used for malicious intent.

Mitigation and Remediation

Users of the Qualys Cloud Agent for Windows are strongly encouraged to upgrade to the latest version (4.5.3.1 and later) as soon as possible. This will effectively patch the reported race condition vulnerability and protect against potential exploitation.

To upgrade to the latest version, visit the official Qualys website: https://www.qualys.com/cloud-agent/

For users running an unsupported (End of Life) version of the Qualys Cloud Agent for Windows, it is essential to upgrade to a supported version immediately and implement proper security measures to protect your local machine against possible exploitation.

Original References

- CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28142
- Qualys Cloud Agent for Windows: https://www.qualys.com/cloud-agent/

Conclusion

This post has detailed the CVE-2023-28142 vulnerability in the Qualys Cloud Agent for Windows, which arises from a race condition during the uninstallation process. Attackers can exploit this vulnerability to escalate their local privileges and execute arbitrary commands with SYSTEM-level authority. To mitigate this risk, users should promptly upgrade their Qualys Cloud Agent for Windows to the latest version and follow best practices for securing their systems.

Timeline

Published on: 04/18/2023 16:15:00 UTC
Last modified on: 04/28/2023 13:18:00 UTC