CVE-2023-28079
📋 TL;DR
CVE-2023-28079 is an insecure file and folder permissions vulnerability in Dell PowerPath for Windows that allows non-admin users to escalate privileges to SYSTEM level and execute arbitrary code. This affects PowerPath for Windows versions 7.0, 7.1, and 7.2. Any Windows system running these vulnerable PowerPath versions is at risk.
💻 Affected Systems
- Dell PowerPath for Windows
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with SYSTEM privileges, allowing attackers to install persistent malware, steal credentials, disable security controls, and pivot to other systems.
Likely Case
Local privilege escalation leading to lateral movement within the network, data exfiltration, and installation of ransomware or other malicious payloads.
If Mitigated
Limited impact if proper access controls and monitoring are in place, though the vulnerability still provides a foothold for attackers.
🎯 Exploit Status
Exploitation requires local user access but is straightforward once access is obtained due to weak permissions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Update to PowerPath for Windows version 7.3 or later
Vendor Advisory: https://www.dell.com/support/kbdoc/en-us/000214248/dsa-2023-154-powerpath-windows-security-update-for-security-update-for-multiple-vulnerabilities
Restart Required: Yes
Instructions:
1. Download the latest PowerPath for Windows version from Dell Support. 2. Run the installer with administrative privileges. 3. Follow the installation wizard. 4. Restart the system when prompted.
🔧 Temporary Workarounds
Restrict PowerPath folder permissions
windowsManually adjust file and folder permissions for PowerPath installation directories to restrict write access to administrators only.
icacls "C:\Program Files\EMC\PowerPath" /inheritance:r /grant:r "Administrators:(OI)(CI)F" /grant:r "SYSTEM:(OI)(CI)F"
icacls "C:\ProgramData\EMC\PowerPath" /inheritance:r /grant:r "Administrators:(OI)(CI)F" /grant:r "SYSTEM:(OI)(CI)F"
🧯 If You Can't Patch
- Implement strict access controls and monitor for unauthorized privilege escalation attempts
- Isolate affected systems from critical network segments and implement application whitelisting
🔍 How to Verify
Check if Vulnerable:
Check PowerPath version via Control Panel > Programs and Features or using 'ppadm version' command in PowerShell/CMDCheck Version:
ppadm versionVerify Fix Applied:
Verify PowerPath version is 7.3 or later and check folder permissions for PowerPath directories using 'icacls' command📡 Detection & Monitoring
Log Indicators:
- Windows Security Event ID 4688 (process creation) showing unusual processes running as SYSTEM from PowerPath directories
- Event ID 4672 (special privileges assigned) for non-admin users
Network Indicators:
- Unusual outbound connections from systems running PowerPath
- Lateral movement attempts from PowerPath systems
SIEM Query:
source="Windows Security" EventID=4688 OR EventID=4672 | where ProcessPath contains "PowerPath" OR SubjectUserName not in ("SYSTEM", "Administrator")