Versions 7.0.0 through 7.17.4 and 8.0.0 through 8.2.3
The issue is fixed in versions 8.3.0 and 7.17.5.
If you are unable to upgrade, you can select to disable Vega visualizations :
- For on premise installations, you can set
vega.enabled: falsefor Kibana versions older than 7.7.0) in
- For Elastic Cloud services deployments, you can reach out to Elastic Support
6.4 (Medium) - AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
CVE ID: CVE-2022-23713
A local privilege escalation (LPE) issue was discovered in the ransomware canaries features of Elastic Endpoint Security for Windows, which could allow unprivileged users to elevate their privileges to those of the LocalSystem account.
Versions 7.13.0 through 7.17.4 and 8.0.0 through 8.2.3
An artifact update was distributed to all internet connected endpoints which disables the vulnerable feature ("Endpoint.policy.applied.artifacts.global.version" version 1.0.324+). However, 7.14+ enterprise and platinum Endpoints remain affected if the cloud update hasn’t been received and ransomware protection is enabled. The cloud update occurs 5 minutes after installation if the update server can be reached.
The vulnerability is resolved in versions 8.3.0 and 7.17.5 where the vulnerable feature is disabled out of the box without requiring the artifact update. A workaround for endpoints unable to update or connect to the artifact update server is to disable the vulnerable feature manually by setting the “windows.advanced.ransomware.canary” advanced policy option to false.
A future version will include a fix for the vulnerability and will re-enable the canaries component of the ransomware protection feature. In the meantime, Elastic Security is confident that its layered approach to protections provides high efficacy against ransomware threats without requiring the canary feature.
7.0 (High) - AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE ID: CVE-2022-23714