CVE-2024-6147
📋 TL;DR
This vulnerability allows local attackers to escalate privileges on systems running Poly Plantronics Hub by exploiting a symbolic link flaw in the Spokes Update Service. Attackers with initial low-privileged access can delete arbitrary files and execute code as SYSTEM. Affects users of Poly Plantronics Hub software.
💻 Affected Systems
- Poly Plantronics Hub
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full SYSTEM compromise allowing complete control of the system, installation of persistent malware, credential theft, and lateral movement.
Likely Case
Local privilege escalation leading to persistence mechanisms, credential harvesting, and installation of additional malicious tools.
If Mitigated
Limited impact if proper endpoint protection and privilege separation are in place, though local compromise still possible.
🎯 Exploit Status
Exploitation requires local access and ability to create symbolic links. ZDI-CAN-18271 identifier suggests detailed research exists.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Poly/Hewlett Packard Enterprise advisory for specific patched version
Vendor Advisory: https://www.zerodayinitiative.com/advisories/ZDI-24-802/
Restart Required: Yes
Instructions:
1. Check current Poly Plantronics Hub version. 2. Visit Poly/HPE security advisory page. 3. Download and install latest version. 4. Restart system to ensure service updates apply.
🔧 Temporary Workarounds
Disable Spokes Update Service
windowsTemporarily disable the vulnerable service to prevent exploitation
sc config "SpokesUpdateService" start= disabled
sc stop "SpokesUpdateService"
Restrict symbolic link creation
windowsApply policies to restrict non-admin users from creating symbolic links
secedit /export /cfg config.inf
Edit config.inf to set 'Create symbolic links' to Administrators only
secedit /configure /db config.sdb /cfg config.inf
🧯 If You Can't Patch
- Remove Poly Plantronics Hub from critical systems
- Implement strict endpoint detection and response (EDR) to monitor for symbolic link creation and privilege escalation attempts
🔍 How to Verify
Check if Vulnerable:
Check if Poly Plantronics Hub is installed and Spokes Update Service is running via 'sc query SpokesUpdateService'Check Version:
Check Poly Plantronics Hub about dialog or installed programs list for version informationVerify Fix Applied:
Verify Poly Plantronics Hub version is updated to patched version and Spokes Update Service is either patched or disabled📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs showing symbolic link creation by non-admin users
- Service control manager logs for Spokes Update Service modifications
- File deletion events in sensitive locations
Network Indicators:
- No direct network indicators - local exploitation only
SIEM Query:
EventID=4688 AND (ProcessName LIKE '%mklink%' OR CommandLine LIKE '%mklink%') AND SubjectUserName NOT IN ('SYSTEM', 'Administrators')