// For flags

CVE-2023-45159

1E Client installer can perform arbitrary file deletion on protected files

Severity Score

8.4
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track*
*SSVC
Descriptions

1E Client installer can perform arbitrary file deletion on protected files.  

A non-privileged user could provide a symbolic link or Windows junction to point to a protected directory in the installer that the 1E Client would then clear on service startup.

A hotfix is available from the 1E support portal that forces the 1E Client to check for a symbolic link or junction and if it finds one refuses to use that path and instead creates a path involving a random GUID.

for v8.1 use hotfix Q23097
for v8.4 use hotfix Q23105
for v9.0 use hotfix Q23115

for SaaS customers, use 1EClient v23.7 plus hotfix Q23121

El instalador de 1E Client puede realizar la eliminación arbitraria de archivos protegidos. Un usuario sin privilegios podría proporcionar un enlace simbólico o una unión de Windows para apuntar a un directorio protegido en el instalador que el Cliente 1E borraría al iniciar el servicio. Hay una revisión disponible en el portal de soporte 1E que obliga al Cliente 1E a buscar un enlace o cruce simbólico y, si encuentra uno, se niega a usar esa ruta y en su lugar crea una ruta que involucra un GUID aleatorio para v8.1 use hotfix Q23097 para v8.4 use hotfix Q23105 para v9.0 use hotfix Q23115 para clientes de SaaS, use 1EClient v23.7 plus hotfix Q23121

*Credits: Thanks to Lockheed Martin red team who reported this issue.
CVSS Scores
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
* Common Vulnerability Scoring System
SSVC
  • Decision:Track*
Exploitation
None
Automatable
No
Tech. Impact
Total
* Organization's Worst-case Scenario
Timeline
  • 2023-10-04 CVE Reserved
  • 2023-10-05 CVE Published
  • 2024-09-19 CVE Updated
  • 2024-11-06 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-59: Improper Link Resolution Before File Access ('Link Following')
CAPEC
  • CAPEC-122: Privilege Abuse
References (1)
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
1e
Search vendor "1e"
Client
Search vendor "1e" for product "Client"
8.1.2.62
Search vendor "1e" for product "Client" and version "8.1.2.62"
windows
Affected
1e
Search vendor "1e"
Client
Search vendor "1e" for product "Client"
8.4.1.159
Search vendor "1e" for product "Client" and version "8.4.1.159"
windows
Affected
1e
Search vendor "1e"
Client
Search vendor "1e" for product "Client"
9.0.1.88
Search vendor "1e" for product "Client" and version "9.0.1.88"
windows
Affected
1e
Search vendor "1e"
Client
Search vendor "1e" for product "Client"
23.7.1.151
Search vendor "1e" for product "Client" and version "23.7.1.151"
windows
Affected