CVE-2022-23714
📋 TL;DR
This CVE describes a local privilege escalation vulnerability in Elastic Endpoint Security for Windows. Unprivileged users can exploit this flaw to gain LocalSystem account privileges, allowing them to execute arbitrary code with the highest level of system access. Only Windows systems running vulnerable versions of Elastic Endpoint Security are affected.
💻 Affected Systems
- Elastic Endpoint Security
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker with local access can gain full system control, install persistent malware, disable security controls, access all data, and compromise the entire Windows system.
Likely Case
Malicious insiders or attackers who gain initial access can elevate privileges to bypass security controls, install additional malware, or access sensitive system resources.
If Mitigated
With proper access controls and monitoring, exploitation would be detected and contained, limiting lateral movement and data exfiltration.
🎯 Exploit Status
Requires local access to the system but exploitation appears straightforward based on the vulnerability description.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8.3.1, 8.3.0, and 7.17.5
Vendor Advisory: https://discuss.elastic.co/t/elastic-8-3-1-8-3-0-and-7-17-5-security-update/308613
Restart Required: Yes
Instructions:
1. Update Elastic Endpoint Security to version 8.3.1, 8.3.0, or 7.17.5 or later. 2. Restart the affected Windows systems. 3. Verify the update was successful.
🔧 Temporary Workarounds
Disable ransomware canaries feature
windowsTemporarily disable the vulnerable ransomware canaries feature until patching can be completed.
Refer to Elastic documentation for disabling ransomware canaries in Endpoint Security configuration
🧯 If You Can't Patch
- Implement strict access controls to limit local user privileges
- Enable detailed logging and monitoring for privilege escalation attempts
🔍 How to Verify
Check if Vulnerable:
Check Elastic Endpoint Security version on Windows systems. If version is before 8.3.1, 8.3.0, or 7.17.5, the system is vulnerable.Check Version:
Check Elastic Endpoint Security agent version through the Elastic console or agent status commandsVerify Fix Applied:
Verify Elastic Endpoint Security version is 8.3.1, 8.3.0, 7.17.5 or later after update.📡 Detection & Monitoring
Log Indicators:
- Unusual privilege escalation events
- Processes running as LocalSystem from non-privileged users
- Changes to Elastic Endpoint Security configuration
Network Indicators:
- None - this is a local privilege escalation
SIEM Query:
Search for process creation events where parent process is unprivileged user and child process runs as LocalSystem