CVE-2023-28795 – This CVE describes an origin validation error i... (How to Fix)

Q: What is the severity of CVE-2023-28795?

CVE-2023-28795 has a CVSS score of 7.8 (HIGH). This CVE describes an origin validation error in Zscaler Client Connector for Linux that allows attackers to inject code into existing processes. The vulnerability affects Linux systems running Zscaler Client Connector versions before 1.3.1.6, potentially enabling privilege escalation or arbitrary code execution.

📋 TL;DR

This CVE describes an origin validation error in Zscaler Client Connector for Linux that allows attackers to inject code into existing processes. The vulnerability affects Linux systems running Zscaler Client Connector versions before 1.3.1.6, potentially enabling privilege escalation or arbitrary code execution.

💻 Affected Systems

Products:

Zscaler Client Connector

Versions: All versions before 1.3.1.6

Operating Systems: Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Linux versions of Zscaler Client Connector. Windows and macOS versions are not affected.

📦 What is this software?

Client Connector by Zscaler

View all CVEs affecting Client Connector →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise through privilege escalation leading to complete control of the affected Linux system, data exfiltration, and lateral movement within the network.

🟠

Likely Case

Local privilege escalation allowing attackers to gain root access on compromised Linux workstations, potentially leading to credential theft and further network penetration.

🟢

If Mitigated

Limited impact with proper network segmentation and endpoint protection, potentially only affecting isolated systems without critical data.

🌐 Internet-Facing: LOW - This is primarily a local privilege escalation vulnerability requiring local access to the system.

🏢 Internal Only: HIGH - Internal attackers or compromised accounts could exploit this to escalate privileges on Linux workstations running vulnerable Zscaler Client Connector.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires local access to the system. No public exploit code has been identified at this time.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.3.1.6

Vendor Advisory: https://help.zscaler.com/client-connector/client-connector-app-release-summary-2022?applicable_category=Linux&applicable_version=1.3.1&deployment_date=2022-09-19

Restart Required: Yes

Instructions:

1. Download Zscaler Client Connector version 1.3.1.6 or later from Zscaler portal. 2. Stop the Zscaler service. 3. Install the updated package using your distribution's package manager. 4. Restart the system or Zscaler service.

🔧 Temporary Workarounds

Remove vulnerable software

linux

Uninstall Zscaler Client Connector if not required, though this may impact VPN connectivity.

sudo apt remove zscaler-client-connector
sudo yum remove zscaler-client-connector
sudo zypper remove zscaler-client-connector

🧯 If You Can't Patch

Implement strict access controls and limit local user privileges on affected systems
Monitor for suspicious process injection activities using endpoint detection and response (EDR) tools

🔍 How to Verify

Check if Vulnerable:

Check Zscaler Client Connector version using package manager or version command

Check Version:

zscaler-client-connector --version or check package manager: dpkg -l | grep zscaler-client-connector

Verify Fix Applied:

Verify installed version is 1.3.1.6 or higher and check that Zscaler service is running properly

📡 Detection & Monitoring

Log Indicators:

Unusual process injection events in system logs
Zscaler service crashes or unexpected restarts
Privilege escalation attempts in audit logs

Network Indicators:

Unexpected outbound connections from Zscaler processes
Anomalous VPN connection patterns

SIEM Query:

source="linux_audit" AND process_name="zscaler*" AND (event_type="EXECVE" OR event_type="PROCTITLE") AND user_change=true

📊 Metadata

CVE ID: CVE-2023-28795

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-346

Published: October 23, 2023

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-28795, you might also want to check these: