Advisory Details

July 29th, 2024

(0Day) F-Secure Total Link Following Local Privilege Escalation Vulnerability

ZDI-24-1012
ZDI-CAN-23005

CVE ID CVE-2024-7240
CVSS SCORE 7.3, AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
AFFECTED VENDORS F-Secure
AFFECTED PRODUCTS Total
VULNERABILITY DETAILS

This vulnerability allows local attackers to escalate privileges on affected installations of F-Secure Total. User interaction on the part of an administrator is required to exploit this vulnerability.

The specific flaw exists within the WithSecure plugin hosting service. By creating a symbolic link, an attacker can abuse the service to create a file. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM.
ADDITIONAL DETAILS

02/22/24 – ZDI reported the vulnerability to F-secure’s Security team.
06/19/24 – ZDI asked for updates.
07/26/24 – ZDI informed the vendor that since we have not received a response that we will publish the case as a zero-day advisory on 07/29/24

-- Mitigation: Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the application.
DISCLOSURE TIMELINE
  • 2024-02-22 - Vulnerability reported to vendor
  • 2024-07-29 - Coordinated public release of advisory
  • 2024-08-15 - Advisory Updated
CREDIT Nicholas Zubrisky (@NZubrisky) and Michael DePlante (@izobashi) of Trend Micro's Zero Day Initiative
BACK TO ADVISORIES