CVE-2024-47856
📋 TL;DR
This vulnerability allows attackers to execute arbitrary code with SYSTEM privileges on Windows systems running vulnerable RSA Authentication Agent versions. It affects organizations using RSA Authentication Agent for Windows authentication services. Attackers can exploit path interception by placing malicious executables in directories with spaces in their paths.
💻 Affected Systems
- RSA Authentication Agent for Microsoft Windows
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with SYSTEM privileges, enabling complete control over the affected server, credential theft, and lateral movement across the network.
Likely Case
Privilege escalation leading to installation of persistent backdoors, credential harvesting, and deployment of ransomware or other malware.
If Mitigated
Limited impact if proper application whitelisting, file integrity monitoring, and least privilege principles are enforced.
🎯 Exploit Status
Exploitation requires local access or ability to write to directories in the service path. The technique is well-known and trivial to implement.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.4.7
Vendor Advisory: https://community.rsa.com/s/article/RSA-2024-13-RSA-Authentication-Agent-for-Microsoft-Windows-Security-Update
Restart Required: Yes
Instructions:
1. Download RSA Authentication Agent 7.4.7 from the vendor portal. 2. Stop the RSA Authentication Agent service. 3. Run the installer with administrative privileges. 4. Restart the system to ensure all changes take effect.
🔧 Temporary Workarounds
Apply quotation marks to service paths
windowsManually add quotation marks around service paths containing spaces in Windows Registry and shortcut targets
reg add "HKLM\SYSTEM\CurrentControlSet\Services\RSAAgent" /v ImagePath /t REG_EXPAND_SZ /d "\"C:\Program Files\RSA\Agent\rsaagent.exe\"" /f
Restrict write permissions
windowsRemove write permissions for non-administrative users on directories in the service path hierarchy
icacls "C:\Program Files\RSA" /deny Users:(OI)(CI)W
🧯 If You Can't Patch
- Implement application whitelisting to prevent execution of unauthorized binaries in service path directories.
- Deploy file integrity monitoring on directories within service paths to detect unauthorized file creation.
🔍 How to Verify
Check if Vulnerable:
Check if RSA Authentication Agent version is below 7.4.7 using 'sc query RSAAgent' and examine the ImagePath registry value for unquoted paths with spaces.Check Version:
sc query RSAAgent | findstr "DISPLAY_NAME" or check Add/Remove Programs for versionVerify Fix Applied:
Verify installed version is 7.4.7 or higher and confirm service paths in Registry are properly quoted.📡 Detection & Monitoring
Log Indicators:
- Unexpected process executions from directories containing spaces in service paths
- Failed service starts with error codes related to path resolution
Network Indicators:
- Unusual outbound connections from RSA Authentication Agent service
- Authentication attempts from unexpected system contexts
SIEM Query:
EventID=4688 AND NewProcessName="* *.exe" AND ParentProcessName="services.exe" AND CommandLine="* *"