FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial
FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial

CVE-2023-41969

Improper Link Resolution Before File Access ('Link Following') (CWE-59)

Published: Mar 26, 2024 / Updated: 7mo ago

010
CVSS 7.3EPSS 0.04%High
CVE info copied to clipboard

An arbitrary file deletion in ZSATrayManager where it protects the temporary encrypted ZApp issue reporting file from the unprivileged end user access and modification. Fixed version: Win ZApp 4.3.0 and later.

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

Timeline

CVE Assignment

NVD published the first details for CVE-2023-41969

Mar 26, 2024 at 8:15 AM
First Article

Feedly found the first article mentioning CVE-2023-41969. See article

Mar 26, 2024 at 3:24 PM / National Vulnerability Database
EPSS

EPSS Score was set to: 0.04% (Percentile: 7.5%)

Mar 28, 2024 at 5:36 PM
Threat Intelligence Report

The ZSATrayManager Arbitrary File Deletion vulnerability (CVE-2023-41969) discovered by Winston Ho and a colleague allows for zero-interaction local privilege escalation in Zscaler Client Connector. This critical vulnerability bypasses several checks, including Authenticode verification, posing a significant risk if exploited in the wild. Mitigations, detections, or patches for this vulnerability are not mentioned, potentially impacting other third-party vendors or technologies that rely on Zscaler Client Connector. See article

May 28, 2024 at 6:15 AM
Static CVE Timeline Graph

Links to Mitre Att&cks

T1547.009: Shortcut Modification
+null more

Attack Patterns

CAPEC-132: Symlink Attack
+null more

References

Threat Intel Roundup: glibc, Anatsa, iconv, NahamCon
Threat Radar Intelligence / 5mo
The proof-of-concept exploit for CVE-2024-2961 involves a series of three requests, which demonstrate the steps an attacker might take to leverage this vulnerability for executing arbitrary commands on the target system: Exploitation involves crafting a special input string that causes a buffer overflow, potentially leading to arbitrary code execution.
Catch me if you can — Local Privilege Escalation in Zscaler Client Connector
CSG @ GovTech - Medium / 5mo
Most software, including ZScaler Client Connector, implements checks to ensure the RPC calls made originate from trusted processes. By chaining together several low-level vulnerabilities and bypasses, we (Eugene Lim and Winston Ho) were able to escalate a standard user’s privileges to execute arbitrary commands as the high-privileged NT AUTHORITY\SYSTEM service account on Windows.

News

CyberSecurity Newsletter June 3rd 2024
Buttondown / 5mo
Vulnerable Palo Alto Networks PAN-OS firewalls impacted by the flaw tracked as CVE-2024-3400 have been targeted by suspected Lazarus Group-linked threat actors to distribute an updated version of the RedTail cryptocurrency mining malware since late April: https://www.scmagazine.com/brief/new-redtail-cryptominer-attacks-involve-palo-alto-firewall-exploit
Vulnerabilities in the ZScaler Client-Connector
Born's Tech and Windows World / 5mo
The Zscaler Client Connector is a lightweight agent for user endpoints that enables hybrid working by providing secure, fast and reliable access to any app over any network. The vulnerabilities allowed the security researchers to exploit the privileges of the ZSATrayManager service in the ZSATray frontend.
Zscaler Client Connector Zero-interaction Privilege Escalation Vulnerability
Cyber Security News / 5mo
This Zscaler Client Connector consists of two main processes: ZSATray and ZSATrayManager. Though these vulnerabilities are low-level and bypassed, combining them escalates a threat actor from a standard user privilege to a high-privileged NT AUTHORITY\SYSTEM service account on Windows.
Threat Intel Roundup: glibc, Anatsa, iconv, NahamCon
Threat Radar Intelligence / 5mo
The proof-of-concept exploit for CVE-2024-2961 involves a series of three requests, which demonstrate the steps an attacker might take to leverage this vulnerability for executing arbitrary commands on the target system: Exploitation involves crafting a special input string that causes a buffer overflow, potentially leading to arbitrary code execution.
Cache Me If You Can: Local Privilege Escalation in Zscaler Client Connector (CVE-2023-41973)
Spaceraccoon's Blog / 5mo
A couple months ago, my colleague Winston Ho and I chained a series of unfortunate bugs into a zero-interaction local privilege escalation in Zscaler Client Connector. This was an interesting journey into Windows RPC caller validation and bypassing several checks, including Authenticode verification. Check out the original Medium blogpost for Winston’s own ZSATrayManager Arbitrary File Deletion (CVE-2023-41969)!
See 8 more articles and social media posts

CVSS V3.1

Attack Vector:Local
Attack Complexity:Low
Privileges Required:Low
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:Low

Categories

CVSS 7.3(51562)CWE-59(1181)CWE-61(64)

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI

Feedly Threat Intelligence30-day free trial