CVE-2021-43326
📋 TL;DR
This vulnerability in the Automox Agent on Windows allows local privilege escalation due to incorrect permissions on a temporary directory. An attacker with local access can exploit this to gain SYSTEM-level privileges. Only Windows systems running vulnerable versions of the Automox Agent are affected.
💻 Affected Systems
- Automox Agent
📦 What is this software?
Automox by Automox
⚠️ Risk & Real-World Impact
Worst Case
An attacker gains full SYSTEM privileges on the Windows host, enabling complete compromise, data theft, persistence mechanisms, and lateral movement.
Likely Case
Local attackers escalate from standard user to SYSTEM privileges to install malware, steal credentials, or maintain persistence.
If Mitigated
With proper access controls and monitoring, exploitation attempts can be detected and contained before significant damage occurs.
🎯 Exploit Status
Exploit requires local access to the Windows system. Public exploit code is available in the Packet Storm references.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 32 and later
Vendor Advisory: https://community.automox.com/product-updates-4/cve-2021-43326-and-cve-2021-43325-local-privilege-escalation-in-automox-agent-windows-only-1636
Restart Required: Yes
Instructions:
1. Update Automox Agent to version 32 or later through the Automox console. 2. Restart the affected Windows systems to ensure the updated agent is fully operational.
🔧 Temporary Workarounds
Manual Directory Permission Fix
windowsManually set restrictive permissions on the Automox temporary directory to prevent unauthorized write access.
icacls "C:\ProgramData\Automox\temp" /inheritance:r /grant:r "SYSTEM:(OI)(CI)F" /grant:r "Administrators:(OI)(CI)F" /grant:r "Users:(OI)(CI)RX"
🧯 If You Can't Patch
- Implement strict access controls to limit local user privileges on affected systems
- Monitor for suspicious activity related to Automox Agent processes and temporary directory access
🔍 How to Verify
Check if Vulnerable:
Check the Automox Agent version in Windows Programs and Features or via command: Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -like '*Automox*'} | Select-Object Name, VersionCheck Version:
Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -like '*Automox*'} | Select-Object Name, VersionVerify Fix Applied:
Verify the Automox Agent version is 32 or higher using the same command and check that the temporary directory permissions are properly restricted.📡 Detection & Monitoring
Log Indicators:
- Windows Event Log entries showing unauthorized access attempts to Automox directories
- Security logs showing privilege escalation attempts
Network Indicators:
- Unusual outbound connections from Automox Agent processes
SIEM Query:
EventID=4688 AND ProcessName LIKE '%automox%' AND NewProcessName='cmd.exe' OR NewProcessName='powershell.exe'🔗 References
- http://packetstormsecurity.com/files/165449/Automox-Agent-32-Local-Privilege-Escalation.html
- https://community.automox.com/product-updates-4/cve-2021-43326-and-cve-2021-43325-local-privilege-escalation-in-automox-agent-windows-only-1636
- https://support.automox.com/help/release-notes
- http://packetstormsecurity.com/files/165449/Automox-Agent-32-Local-Privilege-Escalation.html
- https://community.automox.com/product-updates-4/cve-2021-43326-and-cve-2021-43325-local-privilege-escalation-in-automox-agent-windows-only-1636
- https://support.automox.com/help/release-notes
