CVE-2024-28240
📋 TL;DR
This vulnerability in GLPI Agent on Windows allows local users to cause denial of service by modifying the GLPI server URL or disabling the service. If the Deploy task is installed, a local malicious user can achieve privilege escalation by configuring a malicious server with their own deploy payload. Only affects Windows installations via MSI packaging.
💻 Affected Systems
- GLPI Agent
📦 What is this software?
Glpi Agent by Glpi Project
⚠️ Risk & Real-World Impact
Worst Case
Local privilege escalation leading to full system compromise if Deploy task is installed and malicious payload is executed with elevated privileges.
Likely Case
Denial of service of the GLPI Agent service, disrupting management and monitoring capabilities.
If Mitigated
Limited to service disruption with proper access controls preventing registry modification by unauthorized users.
🎯 Exploit Status
Requires local access to modify Windows registry keys. Privilege escalation requires Deploy task installation and malicious server configuration.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.7.2
Vendor Advisory: https://github.com/glpi-project/glpi-agent/security/advisories/GHSA-hx3x-mmqg-h3jp
Restart Required: Yes
Instructions:
1. Download GLPI Agent 1.7.2 or later from official sources. 2. Run the installer to upgrade existing installations. 3. Restart the GLPI Agent service or reboot the system.
🔧 Temporary Workarounds
Hide GLPI Agent from installed applications
windowsModify Windows registry to hide GLPI Agent from installed applications list, preventing unauthorized modifications.
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GLPI-Agent" /v SystemComponent /t REG_DWORD /d 1 /f
🧯 If You Can't Patch
- Restrict access to Windows registry keys related to GLPI Agent using appropriate permissions.
- Monitor for unauthorized modifications to GLPI Agent configuration and registry entries.
🔍 How to Verify
Check if Vulnerable:
Check GLPI Agent version via command line: 'glpi-agent --version' or verify Windows registry entries under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall for GLPI-Agent.Check Version:
glpi-agent --versionVerify Fix Applied:
Confirm version is 1.7.2 or later using 'glpi-agent --version' command.📡 Detection & Monitoring
Log Indicators:
- Unexpected modifications to GLPI Agent configuration files or registry keys
- GLPI Agent service stopping unexpectedly
- Failed connection attempts to non-standard GLPI servers
Network Indicators:
- GLPI Agent connecting to unexpected or unauthorized servers
- Unusual network traffic patterns from GLPI Agent
SIEM Query:
EventID=4657 OR EventID=4663 (Windows registry modification events) targeting GLPI-Agent registry paths🔗 References
- https://github.com/glpi-project/glpi-agent/commit/41bbb1169e899bd15350a9e2fdbf9269a3b7a14f
- https://github.com/glpi-project/glpi-agent/security/advisories/GHSA-hx3x-mmqg-h3jp
- https://github.com/glpi-project/glpi-agent/commit/41bbb1169e899bd15350a9e2fdbf9269a3b7a14f
- https://github.com/glpi-project/glpi-agent/security/advisories/GHSA-hx3x-mmqg-h3jp
