VIPRE Advanced Security SBAMSvc Local Privilege Escalation via Symbolic Link (CVE-2024-7238)

From this webpage screenshot, the following key information about the vulnerability can be obtained: 1. Vulnerability Name: (0Day) VIPRE Advanced Security SBAMSvc Link Following Local Privilege Escalation Vulnerability 2. CVE ID: CVE-2024-7238 3. CVSS Score: 7.8, AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 4. Affected Vendor: VIPRE 5. Affected Product: Advanced Security 6. Vulnerability Details: - Allows local attackers to escalate privileges on affected VIPRE Advanced Security installations. - A specific flaw exists in the Anti-Malware Service. By creating a symbolic link, attackers can abuse the service to delete files. - Attackers can exploit this vulnerability to escalate privileges and execute arbitrary code in the SYSTEM context. 7. Additional Details: - On October 12, 2023, ZDI submitted the vulnerability to a third-party vulnerability disclosure program. - On October 18, 2023, the third-party program stated the issue was outside the scope of the program and closed the report. - On October 18, 2023, ZDI inquired about the reason. - On October 18, 2023, the vendor confirmed they were investigating the issue and confirmed the vulnerability was within the scope of the disclosure program. - On October 19, 2023, ZDI provided multiple commands, PoCs, and answers to help the third-party program reproduce the issue. - On January 31, 2023, the third-party program marked the report as "not applicable" and not eligible for reward. - On January 17, 2023, ZDI notified the vendor that the reward and bounty had never been accepted, and informed the vendor that the case would be released as a 0-day on July 29, 2024. - On July 26, 2024, ZDI notified the vendor again that the case would be released as a 0-day on July 29, 2024. 8. Mitigation: Due to the nature of the vulnerability, the only mitigation strategy is to restrict interaction with the application. 9. Disclosure Timeline: - October 12, 2023 – Vulnerability reported to the vendor. - July 29, 2024 – Coordinated public disclosure of the vulnerability advisory. - August 15, 2024 – Vulnerability advisory updated. 10. Credit: Nicholas Zubrisky and Michael DePlante (@izobashi) of Trend Micro Zero Day Initiative

Goal Reached Thanks to every supporter — we hit 100%!

VIPRE Advanced Security SBAMSvc Local Privilege Escalation via Symbolic Link (CVE-2024-7238)