CVE-2020-11632
📋 TL;DR
This vulnerability in Zscaler Client Connector allows a local attacker to execute arbitrary code with SYSTEM privileges by exploiting an unquoted service path. It affects Windows systems running Zscaler Client Connector versions prior to 2.1.2.150.
💻 Affected Systems
- Zscaler Client Connector
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with SYSTEM privileges, allowing installation of persistent malware, credential theft, and complete control over the affected system.
Likely Case
Local privilege escalation leading to lateral movement within the network, data exfiltration, and establishment of persistence mechanisms.
If Mitigated
Limited impact with proper endpoint protection, least privilege principles, and network segmentation in place.
🎯 Exploit Status
Exploitation requires local access to the system. Unquoted service path vulnerabilities are well-understood and relatively easy to exploit.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.1.2.150 and later
Vendor Advisory: https://help.zscaler.com/zscaler-client-connector/client-connector-app-release-summary-2020?applicable_category=Windows&applicable_version=2.1.2.105
Restart Required: Yes
Instructions:
1. Download Zscaler Client Connector version 2.1.2.150 or later from Zscaler portal. 2. Uninstall previous version. 3. Install updated version. 4. Restart system.
🔧 Temporary Workarounds
Restrict write permissions to service path directories
windowsRemove write permissions for non-administrative users to directories in the unquoted service path
icacls "C:\Program Files\Zscaler\" /deny Users:(OI)(CI)W
Implement application whitelisting
windowsUse AppLocker or Windows Defender Application Control to prevent execution of unauthorized binaries
🧯 If You Can't Patch
- Implement strict least privilege principles - ensure users don't have administrative rights
- Deploy endpoint detection and response (EDR) solutions to detect privilege escalation attempts
🔍 How to Verify
Check if Vulnerable:
Check Zscaler Client Connector version in Control Panel > Programs and Features. If version is below 2.1.2.150, system is vulnerable.Check Version:
wmic product where "name like 'Zscaler%'" get versionVerify Fix Applied:
Verify Zscaler Client Connector version is 2.1.2.150 or higher in Control Panel > Programs and Features.📡 Detection & Monitoring
Log Indicators:
- Windows Event ID 4688 with parent process of Zscaler service
- Unexpected processes running as SYSTEM from unusual locations
- File creation in Zscaler installation directories by non-admin users
Network Indicators:
- Unusual outbound connections from systems running Zscaler Client Connector
- Lateral movement attempts from previously compromised systems
SIEM Query:
source="windows" EventID=4688 AND (ParentImage="*\Zscaler\*" OR Image="*\Zscaler\*") AND NewProcessName!="*\Zscaler\*"