CVE-2023-45160
📋 TL;DR
This vulnerability allows ordinary users to replace downloaded instruction resource files with malicious scripts in the 1E Client. Attackers could execute arbitrary code by substituting legitimate script files with harmful ones at runtime. Affects 1E Client users on both Windows and macOS systems.
💻 Affected Systems
- 1E Client
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise through arbitrary code execution with user privileges, potentially leading to lateral movement, data theft, or ransomware deployment.
Likely Case
Local privilege escalation or execution of malicious scripts within the user's context, enabling data access, persistence mechanisms, or credential harvesting.
If Mitigated
Limited impact due to proper access controls and monitoring, with only user-level access achievable and quick detection of anomalous file modifications.
🎯 Exploit Status
Requires local user access but involves simple file replacement techniques. No authentication bypass needed beyond standard user privileges.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Windows: patch Q23094; macOS: v23.11 or Non-Windows release v8.1.2.62
Vendor Advisory: https://www.teamviewer.com/en/resources/trust-center/security-bulletins/1e-2023-2002/
Restart Required: Yes
Instructions:
1. Download the appropriate patch from the 1E Support site. 2. Apply patch Q23094 for Windows systems. 3. For macOS, upgrade to v23.11 or download updated Non-Windows release v8.1.2.62. 4. Restart affected systems. 5. Verify the temporary directory lockdown is in place.
🔧 Temporary Workarounds
Restrict temporary directory permissions
allManually lock down the 1E Client's temporary directory to prevent unauthorized file modifications
# Windows: icacls "C:\ProgramData\1E\Temporary" /deny Users:(OI)(CI)(W,R,X)
# macOS: chmod 750 /path/to/1e/temporary/directory
🧯 If You Can't Patch
- Implement strict file integrity monitoring on the 1E Client temporary directory to detect unauthorized modifications.
- Apply principle of least privilege by restricting user write access to the temporary directory through group policies or configuration management.
🔍 How to Verify
Check if Vulnerable:
Check if the 1E Client temporary directory allows user write access and if files can be replaced during instruction execution.Check Version:
# Windows: Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -like '*1E*'} | Select-Object Name, Version
# macOS: /usr/local/bin/1e-client --version or check installed package versionVerify Fix Applied:
Verify that the temporary directory is properly locked down and test that user-level file replacement attempts are blocked.📡 Detection & Monitoring
Log Indicators:
- Unauthorized file modifications in 1E temporary directories
- Unexpected script executions from 1E Client locations
- Access denied errors for legitimate 1E processes
Network Indicators:
- Unusual outbound connections from 1E Client processes
- Downloads to 1E temporary directories from untrusted sources
SIEM Query:
source="*1e*" AND (event_type="file_modification" OR event_type="process_execution") AND (file_path="*temporary*" OR process_path="*1e*")