CVE-2023-37243 – This vulnerability allows standard users to ach... (How to Fix)

Q: What is the severity of CVE-2023-37243?

CVE-2023-37243 has a CVSS score of 7.8 (HIGH). This vulnerability allows standard users to achieve privilege escalation to SYSTEM level through DLL hijacking. When the system reboots, a vulnerable executable in the Windows Temp folder runs with SYSTEM privileges, and users can place malicious DLLs in that folder due to inherited permissions. This affects Windows systems with the vulnerable component installed.

📋 TL;DR

This vulnerability allows standard users to achieve privilege escalation to SYSTEM level through DLL hijacking. When the system reboots, a vulnerable executable in the Windows Temp folder runs with SYSTEM privileges, and users can place malicious DLLs in that folder due to inherited permissions. This affects Windows systems with the vulnerable component installed.

💻 Affected Systems

Products:

Agent.Package.Availability component

Versions: Unknown specific versions - appears to be a Windows component

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the default configuration where the C:\Windows\Temp folder inherits permissions allowing user write access.

📦 What is this software?

Agent Package Availability by Atera

View all CVEs affecting Agent Package Availability →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full SYSTEM privilege compromise leading to complete system takeover, persistence installation, credential theft, and lateral movement across the network.

🟠

Likely Case

Local privilege escalation from standard user to SYSTEM, enabling installation of malware, disabling security controls, and accessing protected system resources.

🟢

If Mitigated

Limited impact with proper access controls, monitoring, and least privilege principles in place.

🌐 Internet-Facing: LOW - This is a local privilege escalation requiring local user access, not directly exploitable over the network.

🏢 Internal Only: HIGH - Standard users on affected systems can exploit this to gain SYSTEM privileges without authentication.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires standard user access and system reboot. The DLL hijacking technique is well-documented and easy to implement.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: No vendor advisory found in provided references

Restart Required: Yes

Instructions:

No official patch identified. Apply workarounds and monitor for vendor updates.

🔧 Temporary Workarounds

Restrict folder permissions

windows

Modify permissions on C:\Windows\Temp\Agent.Package.Availability to prevent user write access

icacls "C:\Windows\Temp\Agent.Package.Availability" /inheritance:r
icacls "C:\Windows\Temp\Agent.Package.Availability" /grant SYSTEM:F
icacls "C:\Windows\Temp\Agent.Package.Availability" /grant Administrators:F

Remove vulnerable executable

windows

Delete or rename the vulnerable executable to prevent automatic execution

del "C:\Windows\Temp\Agent.Package.Availability\Agent.Package.Availability.exe"
ren "C:\Windows\Temp\Agent.Package.Availability\Agent.Package.Availability.exe" Agent.Package.Availability.exe.bak

🧯 If You Can't Patch

Implement strict least privilege principles - limit standard user access to sensitive systems
Enable auditing and monitoring for file creation/modification in C:\Windows\Temp\Agent.Package.Availability folder

🔍 How to Verify

Check if Vulnerable:

Check if C:\Windows\Temp\Agent.Package.Availability\Agent.Package.Availability.exe exists and if standard users have write permissions to the folder using: icacls "C:\Windows\Temp\Agent.Package.Availability"

Check Version:

No specific version check command available for this component

Verify Fix Applied:

Verify standard users cannot write to the folder and the executable is removed or permissions are restricted

📡 Detection & Monitoring

Log Indicators:

File creation/modification events in C:\Windows\Temp\Agent.Package.Availability
Process execution of Agent.Package.Availability.exe with SYSTEM privileges
DLL loading from suspicious locations

Network Indicators:

No specific network indicators - local privilege escalation

SIEM Query:

EventID=4688 OR EventID=4689 WHERE ProcessName='Agent.Package.Availability.exe' AND IntegrityLevel='System'

📊 Metadata

CVE ID: CVE-2023-37243

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-379

Published: October 31, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2023/MNDT-2023-0010.md Third Party Advisory
https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2023/MNDT-2023-0010.md Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-37243, you might also want to check these: