Advisory Details

October 5th, 2023

Microsoft PC Manager SAS Token Incorrect Permission Assignment Authentication Bypass Vulnerability

ZDI-23-1527
ZDI-CAN-22263

CVE ID
CVSS SCORE 10.0, AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
AFFECTED VENDORS Microsoft
AFFECTED PRODUCTS PC Manager
VULNERABILITY DETAILS

This vulnerability allows remote attackers to bypass authentication on Microsoft PC Manager. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the permissions granted to an SAS token. An attacker can leverage this vulnerability to launch a supply-chain attack and execute arbitrary code on customers' endpoints.

ADDITIONAL DETAILS Microsoft has issued an update to correct this vulnerability. More details can be found at:
https://portal.msrc.microsoft.com/en-us/security-guidance/researcher-acknowledgments-online-services
DISCLOSURE TIMELINE
  • 2023-09-28 - Vulnerability reported to vendor
  • 2023-10-05 - Coordinated public release of advisory
CREDIT Nitesh Surana (@_niteshsurana) of Trend Micro Research
BACK TO ADVISORIES