CVE-2023-6080
📋 TL;DR
This vulnerability in Lakeside Software's SysTrack LsiAgent Installer allows local attackers to escalate privileges to SYSTEM level access on Windows systems. It affects organizations using SysTrack version 10.7.8 for endpoint monitoring and management. Attackers must already have local access to exploit this vulnerability.
💻 Affected Systems
- Lakeside Software SysTrack LsiAgent Installer
📦 What is this software?
Systrack Lsiagent by Lakesidesoftware
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with SYSTEM privileges, allowing installation of persistent malware, credential theft, lateral movement, and data exfiltration.
Likely Case
Local attackers gaining administrative control over affected endpoints, enabling privilege escalation attacks and persistence mechanisms.
If Mitigated
Limited impact if proper access controls, least privilege principles, and endpoint protection are implemented.
🎯 Exploit Status
Exploitation requires local access to the system. The vulnerability is documented in Mandiant's disclosure with technical details.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 10.7.9 or later
Vendor Advisory: https://www.lakesidesoftware.com/
Restart Required: Yes
Instructions:
1. Download SysTrack LsiAgent Installer version 10.7.9 or later from Lakeside Software portal. 2. Run the installer on affected systems. 3. Restart systems to complete the update.
🔧 Temporary Workarounds
Restrict local access
windowsLimit local user access to systems running vulnerable SysTrack version
Remove vulnerable version
windowsUninstall SysTrack LsiAgent Installer 10.7.8 if not required
Control Panel > Programs > Uninstall a program > Select SysTrack LsiAgent Installer 10.7.8 > Uninstall
🧯 If You Can't Patch
- Implement strict access controls and least privilege principles for local users
- Deploy endpoint detection and response (EDR) solutions to monitor for privilege escalation attempts
🔍 How to Verify
Check if Vulnerable:
Check installed programs for SysTrack LsiAgent Installer version 10.7.8 via Control Panel or PowerShell: Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -like '*SysTrack*'} | Select Name, VersionCheck Version:
Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -like '*SysTrack*'} | Select Name, VersionVerify Fix Applied:
Verify SysTrack LsiAgent Installer version is 10.7.9 or later using same PowerShell command📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs showing privilege escalation attempts
- SysTrack service logs showing unusual activity
- Security logs with Event ID 4688 (process creation) showing SYSTEM privilege acquisition
Network Indicators:
- Unusual outbound connections from affected systems after exploitation
SIEM Query:
source="windows_security" EventID=4688 NewProcessName="*" IntegrityLevel="System" | where ProcessName contains "lsiservice" or ParentProcessName contains "lsiservice"