CVE-2023-0213
📋 TL;DR
This vulnerability allows local attackers to escalate privileges to SYSTEM level on Windows systems by exploiting DLL hijacking in M-Files Installer. It affects all M-Files Installer versions before 22.6. Attackers need local access to execute this attack.
💻 Affected Systems
- M-Files Installer
📦 What is this software?
M Files by M Files
⚠️ Risk & Real-World Impact
Worst Case
Full SYSTEM privilege compromise allowing complete control over the Windows system, installation of persistent malware, credential theft, and lateral movement across the network.
Likely Case
Local privilege escalation from a standard user account to SYSTEM privileges, enabling installation of additional malware, disabling security controls, and accessing sensitive system resources.
If Mitigated
Limited impact with proper access controls, least privilege principles, and timely patching preventing successful exploitation.
🎯 Exploit Status
DLL hijacking attacks are well-understood and relatively easy to execute with local access. No public exploit code has been disclosed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 22.6 and later
Vendor Advisory: https://empower.m-files.com/security-advisories/CVE-2023-0213
Restart Required: Yes
Instructions:
1. Download M-Files Installer version 22.6 or later from official M-Files sources. 2. Run the installer with administrative privileges. 3. Follow the installation wizard. 4. Restart the system if prompted.
🔧 Temporary Workarounds
Restrict DLL search path
windowsConfigure Windows to restrict DLL search paths to prevent loading from untrusted directories
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager' -Name 'SafeDllSearchMode' -Value 1
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager' -Name 'CWDIllegalInDllSearch' -Value 1
Remove unnecessary privileges
windowsEnsure standard users don't have write permissions to directories in the DLL search path
icacls "C:\Program Files\M-Files\" /inheritance:r /grant:r "SYSTEM:(OI)(CI)F" "Administrators:(OI)(CI)F" "Users:(OI)(CI)RX"
🧯 If You Can't Patch
- Implement strict access controls to prevent local users from writing to directories in the DLL search path
- Monitor for suspicious DLL loading behavior using Windows Event Logs and security tools
🔍 How to Verify
Check if Vulnerable:
Check M-Files Installer version: Open M-Files client, go to Help > About, or check installed programs in Control Panel. If version is below 22.6, system is vulnerable.Check Version:
wmic product where "name like 'M-Files%'" get versionVerify Fix Applied:
Verify M-Files Installer version is 22.6 or higher using the same method. Check that DLL hijacking protections are in place.📡 Detection & Monitoring
Log Indicators:
- Windows Event ID 4688 (Process Creation) showing M-Files Installer spawning processes with SYSTEM privileges
- Sysmon Event ID 7 (Image loaded) showing DLLs being loaded from unusual locations
- Unexpected DLL files in M-Files installation directories
Network Indicators:
- No network indicators as this is a local privilege escalation
SIEM Query:
source="windows" (EventID=4688 OR EventID=7) AND (process_name="*M-Files*" OR image_loaded="*.dll") AND (user="SYSTEM" OR image_path="*\Temp\*" OR image_path="*\Users\*")