CVE-2024-40872
📋 TL;DR
This vulnerability allows attackers with local access and valid desktop user credentials to elevate their privileges to SYSTEM level by passing invalid address data to vulnerable components in Absolute Secure Access. It affects both server and client components prior to version 13.07, enabling manipulation of process tokens to gain full system control.
💻 Affected Systems
- Absolute Secure Access
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with SYSTEM privileges, allowing complete control over the affected system, installation of persistent malware, credential theft, and lateral movement across the network.
Likely Case
Local privilege escalation from standard user to SYSTEM, enabling attackers to bypass security controls, install unauthorized software, and access sensitive system resources.
If Mitigated
Limited impact if proper access controls, least privilege principles, and network segmentation are implemented, though the vulnerability still presents a significant risk.
🎯 Exploit Status
Exploitation requires local access and valid user credentials. The vulnerability involves passing invalid address data to manipulate process tokens.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 13.07
Vendor Advisory: https://www.absolute.com/platform/security-information/vulnerability-archive/secure-access-1307/cve-2024-40872/
Restart Required: Yes
Instructions:
1. Download Absolute Secure Access version 13.07 from the vendor portal. 2. Backup current configuration. 3. Install the update following vendor instructions. 4. Restart affected systems. 5. Verify the update was successful.
🔧 Temporary Workarounds
Restrict Local Access
allLimit physical and remote local access to systems running Absolute Secure Access to authorized personnel only.
Implement Least Privilege
allEnsure users have only the minimum necessary privileges and cannot run arbitrary processes with elevated rights.
🧯 If You Can't Patch
- Isolate affected systems in a segmented network zone with strict access controls.
- Implement application whitelisting to prevent execution of unauthorized processes.
🔍 How to Verify
Check if Vulnerable:
Check the Absolute Secure Access version. If it's below 13.07, the system is vulnerable.Check Version:
On Windows: Check program version in Control Panel > Programs and Features. On Linux: Check package version via package manager (e.g., rpm -qa | grep absolute).Verify Fix Applied:
Verify the installed version is 13.07 or higher using the version check command and ensure no privilege escalation attempts are successful.📡 Detection & Monitoring
Log Indicators:
- Unusual process creation with SYSTEM privileges from non-admin users
- Failed privilege escalation attempts in security logs
- Access violations in Absolute Secure Access logs
Network Indicators:
- Unusual outbound connections from Absolute Secure Access components
- Lateral movement attempts from affected systems
SIEM Query:
EventID=4688 AND NewProcessName CONTAINS 'Absolute' AND SubjectUserName NOT IN ('SYSTEM', 'Administrator')