CVE-2024-6978
📋 TL;DR
The Cato Networks Windows SDP Client allows low-privileged users to install local root certificates, potentially enabling man-in-the-middle attacks or credential theft. This affects all Windows systems running SDP Client versions before 5.10.28.
💻 Affected Systems
- Cato Networks Windows SDP Client
📦 What is this software?
Cato Client by Catonetworks
⚠️ Risk & Real-World Impact
Worst Case
Attackers could install malicious root certificates to intercept and decrypt all TLS/SSL traffic, steal credentials, and perform man-in-the-middle attacks against the affected system.
Likely Case
Malicious users or malware with low privileges could install rogue certificates to intercept specific application traffic or bypass security controls.
If Mitigated
With proper user privilege management and monitoring, impact is limited to authorized low-privileged users who might misuse this capability.
🎯 Exploit Status
Exploitation requires low-privileged user access to the Windows system. The vulnerability is straightforward to exploit once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.10.28 or later
Restart Required: Yes
Instructions:
1. Download SDP Client version 5.10.28 or later from Cato Networks. 2. Install the update on all affected Windows systems. 3. Restart the systems to complete the installation.
🔧 Temporary Workarounds
Restrict certificate installation permissions
windowsModify Windows permissions to prevent low-privileged users from installing certificates
Use Group Policy or local security policy to restrict certificate store write permissions
Monitor certificate store changes
windowsImplement monitoring for unauthorized certificate installations
Configure Windows Event Log monitoring for Event ID 4107 (Certificate Services Client-Auto-Enrollment)
🧯 If You Can't Patch
- Implement strict least-privilege access controls to limit which users can access affected systems
- Deploy certificate monitoring and alerting to detect unauthorized certificate installations
🔍 How to Verify
Check if Vulnerable:
Check SDP Client version in Windows Programs and Features or via command line: Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -like '*Cato SDP Client*'} | Select-Object Name, VersionCheck Version:
Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -like '*Cato SDP Client*'} | Select-Object Name, VersionVerify Fix Applied:
Verify SDP Client version is 5.10.28 or higher using the same command, and test that low-privileged users cannot install certificates📡 Detection & Monitoring
Log Indicators:
- Windows Event Log entries for certificate store modifications (Event ID 4107)
- Unexpected certificate installations in Trusted Root Certification Authorities store
Network Indicators:
- Unexpected certificate validation failures
- TLS/SSL handshake anomalies with internal systems
SIEM Query:
source="Windows Security" EventID=4107 | where CertificateStore="ROOT"