Elastic Endpoint Security Local Privilege Escalation issue (ESA-2022-13)
An issue was discovered in the quarantine feature of Elastic Endpoint Security and Elastic Endgame for Windows, which could allow unprivileged users to elevate their privileges to those of the LocalSystem account.
Elastic Security versions up to 7.17.6 and 8.3.3
Elastic Endgame versions up to 3.62.2
Elastic Security Solutions and Mitigations:
The issue is fixed in versions 7.17.7 and 8.4.0 of the Elastic Endpoint.
If you are unable to upgrade, a workaround is to disable the quarantine feature in Advanced Policy by setting
windows.advanced.malware.quarantine to false. If this is done, Elastic Endpoint will still block malware when in prevent mode but will not quarantine it.
Elastic Endgame Security Solutions and Mitigations:
The issue is fixed in version 3.62.3 of the Endgame Sensor.
If you are unable to upgrade, a workaround is to disable the affected code by ensuring the following policy settings are not set to Prevent and Quarantine:
- MALWARE (WINDOWS)
- MALICIOUS OFFICE FILE (WINDOWS)
CVSSv3: 7.5 (High) - AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE ID: CVE-2022-38774