CVE-2023-5607
📋 TL;DR
This path traversal vulnerability in TACC ePO extension allows authenticated administrators to upload malicious GTI reputation files that can execute arbitrary code on on-premises ePO servers. Attackers need administrative privileges to exploit this vulnerability. The vulnerability affects ePO servers prior to version 8.4.0.
💻 Affected Systems
- Trellix ePolicy Orchestrator (ePO) with TACC extension
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining complete control over the ePO server, potentially leading to lateral movement across the network and data exfiltration.
Likely Case
Privileged administrator account compromise leading to unauthorized code execution on the ePO server, potentially affecting managed endpoints.
If Mitigated
Limited impact due to proper access controls and monitoring, with potential detection of unauthorized file upload attempts.
🎯 Exploit Status
Exploitation requires authenticated administrator access to the ePO interface. The vulnerability is in file upload validation logic.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8.4.0
Vendor Advisory: https://kcm.trellix.com/corporate/index?page=content&id=SB10411
Restart Required: Yes
Instructions:
1. Download ePO 8.4.0 from Trellix support portal. 2. Backup current ePO configuration and database. 3. Run the installer to upgrade to version 8.4.0. 4. Restart the ePO server and verify functionality.
🔧 Temporary Workarounds
Restrict GTI File Upload Access
allTemporarily restrict administrator access to GTI reputation file upload functionality until patching can be completed.
Configure ePO role-based access control to remove GTI file upload permissions from administrator roles
🧯 If You Can't Patch
- Implement strict monitoring of file upload activities in ePO logs and alert on any GTI reputation file uploads
- Enforce principle of least privilege by reviewing and reducing administrator accounts with file upload capabilities
🔍 How to Verify
Check if Vulnerable:
Check ePO version in the web interface under Help > About ePolicy Orchestrator. If version is below 8.4.0, the system is vulnerable.Check Version:
In ePO web interface: Help > About ePolicy OrchestratorVerify Fix Applied:
Verify version shows 8.4.0 or higher in the ePO interface and test that GTI reputation file uploads are properly validated.📡 Detection & Monitoring
Log Indicators:
- Unusual GTI reputation file uploads
- File upload attempts with suspicious filenames or paths
- Administrator account performing unexpected file operations
Network Indicators:
- Unusual outbound connections from ePO server following file uploads
- Suspicious file transfer patterns to/from ePO server
SIEM Query:
source="epo_logs" AND (event="file_upload" OR event="gti_import") AND (filename CONTAINS ".." OR filename CONTAINS "/" OR filename CONTAINS "\")