CVE-2023-51772
📋 TL;DR
This vulnerability allows attackers to escape the kiosk mode in One Identity Password Manager and gain SYSTEM-level command execution on Windows clients. It affects organizations using this software for password resets on Windows login screens. Attackers can achieve full system compromise through a specific sequence of actions after session timeout.
💻 Affected Systems
- One Identity Password Manager
📦 What is this software?
Password Manager by Oneidentity
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with SYSTEM privileges, allowing installation of malware, credential theft, lateral movement, and complete control of affected Windows systems.
Likely Case
Local privilege escalation to SYSTEM, enabling attackers to bypass security controls, access sensitive data, and maintain persistence on compromised systems.
If Mitigated
Limited impact if proper network segmentation, endpoint protection, and least privilege principles are implemented, though local compromise still possible.
🎯 Exploit Status
Exploit requires physical or remote access to login screen, specific timing (session timeout), and user interaction (clicking Help icon).
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.13.1
Vendor Advisory: https://www.oneidentity.com/products/password-manager/
Restart Required: Yes
Instructions:
1. Download One Identity Password Manager version 5.13.1 or later. 2. Install the update on all affected systems. 3. Restart systems to apply changes.
🔧 Temporary Workarounds
Disable Password Reset Feature
windowsTemporarily disable the password reset functionality on Windows login screens
Reduce Session Timeout
windowsConfigure shorter session timeouts to reduce exploit window
🧯 If You Can't Patch
- Implement strict physical security controls to prevent unauthorized access to login screens
- Deploy endpoint detection and response (EDR) solutions to monitor for suspicious cmd.exe execution from browser processes
🔍 How to Verify
Check if Vulnerable:
Check Password Manager version in application settings or control panel. If version is below 5.13.1, system is vulnerable.Check Version:
Check application properties or use: wmic product where name='One Identity Password Manager' get versionVerify Fix Applied:
Confirm version is 5.13.1 or higher in application settings. Test password reset functionality to ensure it works without allowing kiosk escape.📡 Detection & Monitoring
Log Indicators:
- Unusual cmd.exe launches from browser processes
- Multiple failed password reset attempts followed by successful reset
- Process creation events showing cmd.exe spawned from Chromium-based browser
Network Indicators:
- Unexpected outbound connections from systems during login screen sessions
- File upload attempts to external websites from kiosk browser
SIEM Query:
Process Creation: (Image='cmd.exe' AND ParentImage contains 'chrome' OR ParentImage contains 'chromium') AND CommandLine contains 'system'🔗 References
- https://sec-consult.com/vulnerability-lab/advisory/kiosk-escape-privilege-escalation-one-identity-password-manager-secure-password-extension/
- https://www.oneidentity.com/products/password-manager/
- https://sec-consult.com/vulnerability-lab/advisory/kiosk-escape-privilege-escalation-one-identity-password-manager-secure-password-extension/
- https://www.oneidentity.com/products/password-manager/
