Elastic Endpoint Security Local Privilege Escalation issue (ESA-2022-14)
An issue was discovered in the rollback feature of Elastic Endpoint Security for Windows, which could allow unprivileged users to elevate their privileges to those of the LocalSystem account.
Solutions and Mitigations:
The issue is fixed in version 8.4.1 of the Elastic Endpoint.
This feature is disabled by default, and can only be enabled through the
windows.advanced.alerts.rollback.self_healing.enabled advanced policy option, which is only available to Platinum and Enterprise users. If the feature is not enabled, no action is required. If the feature is enabled and you are unable to upgrade, please disable it by clearing the configuration field to restore its default-disabled behavior.
CVSSv3: 7.5 (High) - AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE ID: CVE-2022-38775