CVE-2023-28868
📋 TL;DR
This vulnerability in NCP Secure Enterprise Client's Support Assistant allows attackers to delete arbitrary files on the operating system by exploiting symbolic link creation. Attackers can leverage this to delete critical system files, potentially causing denial of service or system compromise. Users of NCP Secure Enterprise Client versions before 12.22 are affected.
💻 Affected Systems
- NCP Secure Enterprise Client
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through deletion of critical operating system files, leading to system instability, data loss, or privilege escalation.
Likely Case
Denial of service by deleting important configuration files or user data, potentially disrupting VPN connectivity and system functionality.
If Mitigated
Limited impact with proper file permissions and monitoring, though some system disruption may still occur.
🎯 Exploit Status
Exploitation requires local access to create symbolic links and trigger the Support Assistant functionality.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 12.22 or later
Vendor Advisory: https://herolab.usd.de/en/security-advisories/usd-2022-0002/
Restart Required: Yes
Instructions:
1. Download NCP Secure Enterprise Client version 12.22 or later from official vendor sources. 2. Uninstall previous vulnerable version. 3. Install the updated version. 4. Restart the system to ensure all components are properly loaded.
🔧 Temporary Workarounds
Disable Support Assistant
allTemporarily disable the vulnerable Support Assistant component until patching can be completed.
Check NCP client configuration for Support Assistant settings and disable if possible
Restrict Symbolic Link Creation
allImplement OS-level restrictions on symbolic link creation for non-privileged users.
Windows: Configure symbolic link policy via Group Policy
Linux: Set appropriate permissions on directories and use SELinux/AppArmor
🧯 If You Can't Patch
- Implement strict access controls to limit who can run the NCP client and create symbolic links
- Monitor file deletion events and symbolic link creation in system logs for suspicious activity
🔍 How to Verify
Check if Vulnerable:
Check NCP Secure Enterprise Client version in application settings or via 'ncp --version' command. If version is below 12.22, system is vulnerable.Check Version:
ncp --version (Linux/macOS) or check About in Windows applicationVerify Fix Applied:
Verify installed version is 12.22 or higher and test that Support Assistant functionality works without allowing arbitrary file deletion.📡 Detection & Monitoring
Log Indicators:
- Unexpected file deletion events in system logs
- Multiple symbolic link creation attempts
- Support Assistant process accessing unusual file paths
Network Indicators:
- Unusual Support Assistant network activity if configured for remote access
SIEM Query:
EventID:4663 (Windows file deletion) OR syslog entries with 'delete' and NCP process names