• CVSSv3 Score: 6.7 AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
• Issue Date: 2023-07-14
• Updated On: 2023-12-08
• CVE(s): CVE-2023-49944

Synopsis:

Unprotected administrative access to Challenge-Response shared key can lead to Privilege Escalation.

Impacted Product:

Privilege Management for Windows (PMfW)

Summary:

A medium severity vulnerability was discovered and verified in BeyondTrust’s Privilege Management for Windows (PMfW) where under certain configuration scenarios and with administrative privileges an attacker can generate challenge codes leading to local elevation of privileges.

The Challenge Response feature of the Privilege Management for Windows (PMfW) product utilizes a shared key, unique to a configuration, which is distributed to endpoints for subsequent offline verification of response codes. This shared key is encrypted before being included in the configuration file.

With administrative privileges to a local machine and enhanced protections not configured, it is possible to reverse engineer the algorithm used to generate response codes and either, decrypt the shared key in the configuration file, or obtain the shared key via direct memory access techniques. With access to the algorithm and the shared key, it is then possible to self-generate response codes to bypass the Challenge Response portion of PMfW messages. It is worth noting that audit events, if configured, will continue to function as intended.

As the shared key is a per-configuration value, this exploit can then be used on other machines using the same configuration.

Attack Vector(s):

The main threat is from access to the shared key. This has been accessed via the following methods, both of which require administrative privileges and enhanced protections to be disabled:

1. Decryption of the encrypted shared key from the PMfW configuration file.
2. Obtaining the shared key from memory via a debugger after decryption occurs.

Mitigation:

For mitigating the above threat vectors, it is recommended to update PMfW version to 24.1 or later and enable agent protection feature if is not enabled by default. Refer to our BTDocs - Policy Editor utilities | EPM-WM Cloud for a step-by-step guide on enabling this feature. The feature provides protection against full administrator accounts, reducing their ability to access PMfW files and processes (amongst other items).

If Agent Protection cannot be enabled, then the following mitigation controls should be leveraged:

Privilege Management for Windows' Anti-Tamper Mechanism: PMfW's anti-tamper mechanisms ensure that anything elevated by the product is unable to tamper with the product through the use of a restricted group added to its security descriptor. As both of the attack vectors described require full administrative access to perform, they cannot be accomplished via a process elevated by the product.
Note: This is enabled by default.

Configuration Hardening: Configuration hardening can be applied to messages using the Challenge Response feature by adding further authentication requirements, such as a password prompt.

BeyondTrust would like to acknowledge Marcelo Toran and the Swiss Re team for reporting this issue.

References:

1. https://www.cve.org/CVERecord?id=CVE-2023-49944