A significant zero-interaction privilege escalation vulnerability has been uncovered in Zscaler Client Connector, amalgamating three distinct vulnerabilities. These flaws, associated with password check, arbitrary code execution, and arbitrary file deletion, collectively enabled threat actors to elevate from standard user privileges to high-privileged NT AUTHORITY\SYSTEM on Windows systems. Zscaler Client Connector, comprising ZSATray and ZSATrayManager processes, facilitates various network tunnels for Zscaler, with ZSATrayManager running as a service and handling critical network management tasks.
However, the vulnerability allows bypassing of crucial RPC call validations, enabling attackers to execute arbitrary code via process injection into the ZSATray.exe process. Specifically, flaws CVE-2023-41972 and CVE-2023-41973 exploit weaknesses in the PERFORM_APP_REVERT function, allowing attackers to manipulate arguments and execute arbitrary files, ultimately leading to privilege escalation. To address these vulnerabilities, users are strongly advised to update to Zscaler Client Connector versions 4.2.0.209 or 4.3.0.121, or newer, effectively mitigating the risk of exploitation.
By leveraging these vulnerabilities, threat actors could execute arbitrary code and gain elevated privileges, posing significant security risks to affected systems. Zscaler has promptly responded to these threats by releasing patched versions of Zscaler Client Connector, urging users to update promptly to prevent potential exploitation. This incident underscores the critical importance of timely software updates and the implementation of robust security measures to mitigate the risks posed by zero-interaction privilege escalation vulnerabilities in enterprise environments.
