CVE-2023-45159

1E Client installer can perform arbitrary file deletion on protected files

Severity Score

8.4

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

1E Client installer can perform arbitrary file deletion on protected files.

A non-privileged user could provide a symbolic link or Windows junction to point to a protected directory in the installer that the 1E Client would then clear on service startup.

A hotfix is available from the 1E support portal that forces the 1E Client to check for a symbolic link or junction and if it finds one refuses to use that path and instead creates a path involving a random GUID.

for v8.1 use hotfix Q23097
for v8.4 use hotfix Q23105
for v9.0 use hotfix Q23115

for SaaS customers, use 1EClient v23.7 plus hotfix Q23121

El instalador de 1E Client puede realizar la eliminación arbitraria de archivos protegidos. Un usuario sin privilegios podría proporcionar un enlace simbólico o una unión de Windows para apuntar a un directorio protegido en el instalador que el Cliente 1E borraría al iniciar el servicio. Hay una revisión disponible en el portal de soporte 1E que obliga al Cliente 1E a buscar un enlace o cruce simbólico y, si encuentra uno, se niega a usar esa ruta y en su lugar crea una ruta que involucra un GUID aleatorio para v8.1 use hotfix Q23097 para v8.4 use hotfix Q23105 para v9.0 use hotfix Q23115 para clientes de SaaS, use 1EClient v23.7 plus hotfix Q23121

*Credits: Thanks to Lockheed Martin red team who reported this issue.

CVSS Scores

NISTv3.1 8.4

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

None

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2023-10-04 CVE Reserved
2023-10-05 CVE Published
2024-09-19 CVE Updated
2024-11-06 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-59: Improper Link Resolution Before File Access ('Link Following')

CAPEC

CAPEC-122: Privilege Abuse

References (1)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://www.1e.com/trust-security-compliance/cve-info	2023-10-19

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
1e Search vendor "1e"		Client Search vendor "1e" for product "Client"				8.1.2.62 Search vendor "1e" for product "Client" and version "8.1.2.62"		windows		Affected
1e Search vendor "1e"		Client Search vendor "1e" for product "Client"				8.4.1.159 Search vendor "1e" for product "Client" and version "8.4.1.159"		windows		Affected
1e Search vendor "1e"		Client Search vendor "1e" for product "Client"				9.0.1.88 Search vendor "1e" for product "Client" and version "9.0.1.88"		windows		Affected
1e Search vendor "1e"		Client Search vendor "1e" for product "Client"				23.7.1.151 Search vendor "1e" for product "Client" and version "23.7.1.151"		windows		Affected