Local Privilege Escalation in baramundi Management Agent via MSI Installer
Local privilege escalation in MSI Installer in baramundi Management Agent v23.1.172.0 on Windows allows a local unprivileged user to escalate privileges to SYSTEM.
It was possible to invoke the repair function for the installer as an unprivileged user. During the repair process, a conhost.exe window would appear on the user’s screen. After clicking within the window to freeze it and then starting a browser via the properties dialog, it was possible to spawn a cmd.exe as SYSTEM.
The vulnerability was acknowledged and fixed by baramundi within three months. We want to thank baramundi for its exemplary reaction to the vulnerability report.
CVSS Score
7.8 (CVSS v3) – https://nvd.nist.gov/vuln/detail/CVE-2024-6689
CVSS Vector String
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Affected Version
baramundi Management Agent Version 23.1.172.0
Fixed Version
23.1.248
References
https://www.baramundi.com/en-us/security-info/s-2024-01/
Credits
Kolja Grassmann (cirosec GmbH)
Timeline
2023-11-16
Vendor was contacted and informed about the vulnerability
2023-11-17
Initial response from vendor
2023-12-18
Vendor acknowledged the vulnerability
2024-02-02
Vendor informed us that the issue was resolved
2024-07-15
Vendor released advisory