Synopsis:
Prior to version 24.1, a local authenticated attacker with privileges to initiate a repair on Privilege Management for Windows could hijack the elevated process to execute arbitrary programs with elevated privileges. This attack is mitigated by anti-tamper restrictions and policy restrictions.
Impacted Product:
Privilege Management for Windows
1. Create a new application group (e.g., AppGroup1) with the following criteria:
a. File or Folder Name matches:
--- File or Folder Name: PGUserMode perform matching using: contains
b. Product Name matches:
--- Product Name: BeyondTrust Privilege Management
--- Match case: Yes
--- Perform Match Using: Exact Match
c. Publisher matches:
--- Publisher: BeyondTrust Corporation
--- Match Case: Yes
--- Perform Match Using: Exact Match
d. Product Description matches:
--- Product Description: BeyondTrust Privilege Management User Mode Utility
--- Match Case: Yes
--- Perform Match Using: Exact Match
e. Trusted Ownership matches:
--- Advanced options: only "Force standard user rights on File Open/Save common dialogs" option is enabled
2. Create a new application group (e.g., AppGroup2) with the following criteria:
a. File or Folder Name matches:
--- File or Folder name: *
--- Perform match using: Regular Expressions
b. Parent Process matches:
--- Parent Process Group: AppGroup1 (name of the group you created above)
c. Advanced Options: only "Force standard user rights on File Open/Save common dialogs" option is enabled
3. Create a new Application Rule
--- Target Application Group: AppGroup2 (name of the second group you created above)
--- Action: Allow Execution
--- End User Message: Off
--- Access Token: Enforce User's Default Rights
Product | Version |
---|---|
Privilege Management for Windows | Prior to 24.1 |
Product | Version |
---|---|
Privilege Management for Windows | 24.1 |
BeyondTrust would like to thank Andreas Aaris-Larsen of Banshie Cyber Security Services for reporting this vulnerability to us through our secure channel.