CVE-2023-41099
📋 TL;DR
This vulnerability in the Atos Eviden CardOS API Windows installer allows local privilege escalation from a regular user account to SYSTEM-level access. It affects systems running CardOS API versions before 5.5.5.2811 on Windows platforms. Attackers with initial access to a low-privilege account can exploit this to gain complete system control.
💻 Affected Systems
- Atos Eviden CardOS API
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with SYSTEM privileges, enabling installation of persistent malware, credential theft, lateral movement, and data exfiltration.
Likely Case
Local attackers escalate privileges to install additional tools, maintain persistence, or access restricted system resources and data.
If Mitigated
Limited impact if proper access controls, least privilege principles, and application whitelisting are enforced.
🎯 Exploit Status
Requires local access with user privileges. The CWE-269 (Improper Privilege Management) suggests the exploit mechanism is likely straightforward once initial access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.5.5.2811
Restart Required: Yes
Instructions:
1. Download CardOS API version 5.5.5.2811 or later from official vendor sources. 2. Run the installer with administrative privileges. 3. Follow installation prompts. 4. Restart the system as required.
🔧 Temporary Workarounds
Restrict User Privileges
windowsImplement least privilege principles to limit what regular users can execute or modify on systems.
Application Control Policies
windowsUse Windows AppLocker or similar to restrict execution of unauthorized installers or scripts.
🧯 If You Can't Patch
- Monitor for suspicious privilege escalation attempts using Windows Event Logs (Event ID 4672, 4688).
- Segment networks to limit lateral movement from potentially compromised systems.
🔍 How to Verify
Check if Vulnerable:
Check CardOS API version via Control Panel > Programs and Features or using PowerShell: Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -like '*CardOS*'} | Select-Object Name, VersionCheck Version:
Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -like '*CardOS*'} | Select-Object Name, VersionVerify Fix Applied:
Confirm version is 5.5.5.2811 or higher using the same method as above.📡 Detection & Monitoring
Log Indicators:
- Windows Event ID 4672 (Special privileges assigned), 4688 (Process creation) showing privilege escalation
- Unexpected CardOS installer processes running from user contexts
Network Indicators:
- Unusual outbound connections from systems after local privilege escalation
SIEM Query:
EventID=4672 OR EventID=4688 | where ProcessName contains 'cardos' OR CommandLine contains 'cardos'🔗 References
- https://support.bull.com/ols/product/security/psirt/security-bulletins/cardos-api-local-privilege-escalation-psirt-358-tlp-clear-version-2-6-cve-2023-41099/view
- https://support.bull.com/ols/product/security/psirt/security-bulletins/cardos-api-local-privilege-escalation-psirt-358-tlp-clear-version-2-6-cve-2023-41099/view
