CVE-2023-47172
📋 TL;DR
This CVE describes a local privilege escalation vulnerability in WithSecure security products. An authenticated local attacker could exploit this to gain elevated privileges on affected systems. The vulnerability impacts WithSecure Client Security, Server Security, Email and Server Security, and Elements Endpoint Protection.
💻 Affected Systems
- WithSecure Client Security
- WithSecure Server Security
- WithSecure Email and Server Security
- WithSecure Elements Endpoint Protection
📦 What is this software?
Client Security by Withsecure
Server Security by Withsecure
⚠️ Risk & Real-World Impact
Worst Case
An attacker with local access could gain SYSTEM/root privileges, potentially compromising the entire endpoint and accessing sensitive data or installing persistent malware.
Likely Case
Malicious insider or compromised user account could elevate privileges to install additional malware, disable security controls, or access restricted system resources.
If Mitigated
With proper patch management and least privilege principles, impact is limited to isolated incidents that can be quickly contained and investigated.
🎯 Exploit Status
Local privilege escalation vulnerabilities typically have low exploitation complexity once the vulnerability details are understood.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor advisory for specific patched versions
Vendor Advisory: https://www.withsecure.com/en/support/security-advisories/cve-2023-47172
Restart Required: Yes
Instructions:
1. Review the WithSecure security advisory. 2. Update affected products to the latest patched version. 3. Restart systems to apply updates. 4. Verify the update was successful.
🔧 Temporary Workarounds
Restrict local access
allLimit local user access to systems running affected WithSecure products
Implement least privilege
allEnsure users only have necessary privileges and cannot run arbitrary executables
🧯 If You Can't Patch
- Implement strict access controls and monitor for privilege escalation attempts
- Isolate affected systems and limit their access to critical network resources
🔍 How to Verify
Check if Vulnerable:
Check installed WithSecure product versions against affected versions listed in the advisoryCheck Version:
Check WithSecure product interface or documentation for version check command specific to each productVerify Fix Applied:
Verify product version is updated beyond affected versions and check for successful update completion📡 Detection & Monitoring
Log Indicators:
- Unusual privilege escalation events
- WithSecure service failures or restarts
- Unexpected process creation with elevated privileges
Network Indicators:
- Unusual outbound connections from systems running affected products
SIEM Query:
Search for process creation events where parent process is WithSecure-related and child process has elevated privileges