CVE-2023-32162 – This vulnerability allows local attackers with ... (How to Fix)

Q: What is the severity of CVE-2023-32162?

CVE-2023-32162 has a CVSS score of 7.8 (HIGH). This vulnerability allows local attackers with low-privileged access to escalate to SYSTEM privileges by exploiting incorrect file permissions on WacomInstallI.txt. It affects Windows systems with vulnerable Wacom driver installations. Attackers must already have code execution on the target system to exploit this flaw.

📋 TL;DR

This vulnerability allows local attackers with low-privileged access to escalate to SYSTEM privileges by exploiting incorrect file permissions on WacomInstallI.txt. It affects Windows systems with vulnerable Wacom driver installations. Attackers must already have code execution on the target system to exploit this flaw.

💻 Affected Systems

Products:

Wacom Drivers for Windows

Versions: Specific vulnerable versions not specified in CVE description, but likely multiple versions prior to patched release

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Requires Wacom driver installation with vulnerable PrefUtil.exe utility. Systems without Wacom drivers are not affected.

📦 What is this software?

Driver by Wacom

View all CVEs affecting Driver →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with SYSTEM-level code execution, allowing attackers to install malware, steal credentials, disable security controls, and maintain persistent access.

🟠

Likely Case

Local privilege escalation from standard user to SYSTEM, enabling installation of additional malware, credential dumping, and lateral movement within the network.

🟢

If Mitigated

Limited impact if proper endpoint protection, least privilege principles, and application control are implemented to prevent unauthorized code execution.

🌐 Internet-Facing: LOW - This is a local privilege escalation vulnerability requiring existing local access, not directly exploitable over the internet.

🏢 Internal Only: HIGH - Once an attacker gains initial access to a system (via phishing, malware, etc.), they can exploit this to gain full system control and move laterally.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires local code execution first, then leveraging file permission issues. The vulnerability is well-documented and relatively simple to exploit once initial access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not specified in CVE, but Wacom has released updated drivers

Vendor Advisory: https://www.wacom.com/en-us/support/product-support/drivers

Restart Required: Yes

Instructions:

1. Visit Wacom driver download page. 2. Download latest driver version. 3. Uninstall current Wacom driver. 4. Install updated driver. 5. Restart system.

🔧 Temporary Workarounds

Remove vulnerable file permissions

windows

Modify permissions on WacomInstallI.txt to prevent unauthorized write access

icacls "C:\Program Files\Wacom\WacomInstallI.txt" /inheritance:r
icacls "C:\Program Files\Wacom\WacomInstallI.txt" /grant SYSTEM:F
icacls "C:\Program Files\Wacom\WacomInstallI.txt" /grant Administrators:F

Remove Wacom drivers if not needed

windows

Uninstall Wacom drivers from systems where they are not required

appwiz.cpl
Select Wacom Tablet Software and click Uninstall

🧯 If You Can't Patch

Implement application control to prevent execution of PrefUtil.exe by non-administrative users
Use endpoint detection and response (EDR) to monitor for privilege escalation attempts and file permission changes

🔍 How to Verify

Check if Vulnerable:

Check if Wacom drivers are installed and examine permissions on WacomInstallI.txt file: icacls "C:\Program Files\Wacom\WacomInstallI.txt"

Check Version:

wmic product where "name like '%Wacom%'" get version

Verify Fix Applied:

Verify updated driver version is installed and file permissions are restricted: driver version should be latest, and file should have proper ACLs

📡 Detection & Monitoring

Log Indicators:

Windows Security Event ID 4688 for PrefUtil.exe execution with unusual parameters
File permission changes on WacomInstallI.txt
Process creation from low-privileged user to SYSTEM context

Network Indicators:

No direct network indicators as this is local exploitation

SIEM Query:

EventID=4688 AND (ProcessName="PrefUtil.exe" OR CommandLine LIKE "%WacomInstallI.txt%")

📊 Metadata

CVE ID: CVE-2023-32162

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-732

Published: September 6, 2023

Last Updated: November 21, 2024

🔗 References

https://www.zerodayinitiative.com/advisories/ZDI-23-741 Third Party Advisory,VDB Entry
https://www.zerodayinitiative.com/advisories/ZDI-23-741 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-32162, you might also want to check these: