CVE-2024-23464
📋 TL;DR
This vulnerability allows administrators with PowerShell access to disable Zscaler Internet Access (ZIA) protection on Windows systems. It affects organizations using Zscaler Client Connector on Windows versions before 4.2.1, potentially exposing them to unmonitored internet traffic.
💻 Affected Systems
- Zscaler Client Connector
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Malicious insider or compromised admin account disables ZIA protection across the organization, allowing unrestricted internet access and bypassing all security controls, leading to data exfiltration or malware infections.
Likely Case
Accidental or intentional disabling of ZIA by authorized administrators, creating security gaps for specific systems or users.
If Mitigated
Limited impact due to proper privilege management, monitoring, and quick detection of unauthorized ZIA disablement.
🎯 Exploit Status
Exploitation requires local administrator access and knowledge of specific PowerShell commands.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.2.1
Vendor Advisory: https://help.zscaler.com/client-connector/client-connector-app-release-summary-2023?applicable_category=Windows&applicable_version=4.2.1
Restart Required: Yes
Instructions:
1. Download Zscaler Client Connector version 4.2.1 or later from Zscaler portal. 2. Deploy to all affected Windows systems. 3. Restart systems after installation.
🔧 Temporary Workarounds
Restrict PowerShell Execution
windowsLimit PowerShell execution for non-administrative users and monitor PowerShell activity.
Set-ExecutionPolicy Restricted -Scope CurrentUser
Monitor ZIA Service Status
windowsImplement monitoring to detect when ZIA service is stopped or disabled.
Get-Service ZscalerService | Select-Object Status
🧯 If You Can't Patch
- Implement strict privilege management to limit who has local admin rights on systems with Zscaler Client Connector.
- Deploy monitoring and alerting for PowerShell commands that could disable ZIA services.
🔍 How to Verify
Check if Vulnerable:
Check Zscaler Client Connector version in Windows Programs and Features or via PowerShell: Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -like '*Zscaler*'} | Select-Object Name, VersionCheck Version:
Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -like '*Zscaler*'} | Select-Object Name, VersionVerify Fix Applied:
Verify version is 4.2.1 or higher using same command and test that PowerShell commands cannot disable ZIA.📡 Detection & Monitoring
Log Indicators:
- PowerShell logs showing commands related to Zscaler service manipulation
- Windows Event Logs showing Zscaler service state changes
Network Indicators:
- Unexpected bypass of ZIA proxy for traffic that should be inspected
SIEM Query:
source="Windows PowerShell" AND (CommandLine="*Zscaler*" OR CommandLine="*Stop-Service*" OR CommandLine="*Disable-Service*")