CVE-2024-23457
📋 TL;DR
This vulnerability allows attackers to disable the anti-tampering protection in Zscaler Client Connector when an uninstall password is configured. This affects Windows systems running Zscaler Client Connector versions before 4.2.0.209. The vulnerability could enable unauthorized removal or modification of the security client.
💻 Affected Systems
- Zscaler Client Connector
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker with local access could disable the Zscaler Client Connector entirely, bypassing enterprise security controls and network protections, potentially enabling unrestricted internet access or lateral movement.
Likely Case
Malicious users or malware with local access could disable the security client to evade detection or bypass network restrictions, compromising endpoint security posture.
If Mitigated
With proper access controls and monitoring, the impact is limited to users who already have administrative privileges on affected systems.
🎯 Exploit Status
Exploitation requires local access to the system and knowledge of specific conditions to trigger the vulnerability. No public exploit code has been disclosed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.2.0.209 and later
Vendor Advisory: https://help.zscaler.com/client-connector/client-connector-app-release-summary-2023
Restart Required: Yes
Instructions:
1. Download Zscaler Client Connector version 4.2.0.209 or later from Zscaler portal. 2. Deploy the update through your preferred deployment method (SCCM, Intune, manual installation). 3. Restart affected Windows systems to complete the update.
🔧 Temporary Workarounds
Remove uninstall password requirement
windowsTemporarily disable the uninstall password enforcement until systems can be patched
Configure through Zscaler admin portal: Policies > Client Connector > Uninstall Password > Disable
🧯 If You Can't Patch
- Implement strict local administrative access controls to limit who can interact with Zscaler Client Connector
- Enable enhanced logging and monitoring for attempts to modify or uninstall security software
🔍 How to Verify
Check if Vulnerable:
Check Zscaler Client Connector version in Windows Programs and Features or via command: Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -like '*Zscaler*'} | Select-Object Name, VersionCheck Version:
Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -like '*Zscaler*'} | Select-Object VersionVerify Fix Applied:
Verify version is 4.2.0.209 or higher using the same command and test that anti-tampering functionality cannot be disabled when uninstall password is enforced📡 Detection & Monitoring
Log Indicators:
- Event logs showing Zscaler Client Connector service stopping unexpectedly
- Logs indicating anti-tampering protection being disabled
- Failed uninstall attempts when password is required
Network Indicators:
- Sudden changes in network traffic patterns from endpoints
- Zscaler tunnel disconnections without authorized cause
SIEM Query:
EventID=7036 AND ServiceName='ZscalerService' AND (State='stopped' OR State='paused') | OR | ProcessName='Zscaler*' AND CommandLine CONTAINS 'uninstall' OR 'disable'