CVE-2023-0975
📋 TL;DR
A local privilege escalation vulnerability in Trellix Agent for Windows allows authenticated local users to replace executable files during installation or upgrade processes. This enables attackers to execute arbitrary code with elevated system permissions. Only Windows systems running Trellix Agent version 5.7.8 or earlier are affected.
💻 Affected Systems
- Trellix Agent for Windows
📦 What is this software?
Agent by Trellix
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise where an attacker gains SYSTEM-level privileges, installs persistent malware, accesses sensitive data, and potentially moves laterally across the network.
Likely Case
Local authenticated users elevate their privileges to administrative levels, bypassing security controls and potentially disabling security software.
If Mitigated
Limited impact with proper access controls, monitoring, and timely patching preventing successful exploitation.
🎯 Exploit Status
Requires local authenticated access and timing during installation/upgrade processes. No public exploit code identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.7.9 or later
Vendor Advisory: https://kcm.trellix.com/corporate/index?page=content&id=SB10396
Restart Required: Yes
Instructions:
1. Download Trellix Agent version 5.7.9 or later from Trellix support portal. 2. Deploy through existing management console or manually install. 3. Restart affected systems after installation.
🔧 Temporary Workarounds
Restrict local user permissions
windowsLimit standard user permissions to prevent file replacement during installation processes
Monitor installation directories
windowsImplement file integrity monitoring on Trellix Agent installation directories
🧯 If You Can't Patch
- Implement strict access controls to limit local user permissions on affected systems
- Deploy application whitelisting to prevent execution of unauthorized binaries
🔍 How to Verify
Check if Vulnerable:
Check Trellix Agent version via Control Panel > Programs and Features or run 'wmic product get name,version' in command promptCheck Version:
wmic product where "name like '%Trellix Agent%'" get name,versionVerify Fix Applied:
Verify installed version is 5.7.9 or later using same methods as vulnerability check📡 Detection & Monitoring
Log Indicators:
- Unusual file modifications in Trellix installation directories
- Unexpected privilege escalation events
- Suspicious process execution from Trellix directories
Network Indicators:
- Unusual outbound connections from systems running vulnerable versions
SIEM Query:
EventID=4688 AND (ProcessName LIKE '%trellix%' OR CommandLine LIKE '%trellix%') AND NewProcessName NOT LIKE '%trellix%'