CVE-2023-0652 - OpenCVE

Due to a hardlink created in the ProgramData folder during the repair process of the software, the installer (MSI) of WARP Client for Windows (<= 2022.12.582.0) allowed a malicious attacker to forge the destination of the hardlink and escalate privileges, overwriting SYSTEM protected files. As Cloudflare WARP client for Windows (up to version 2022.5.309.0) allowed creation of mount points from its ProgramData folder, during installation of the WARP client, it was possible to escalate privileges and overwrite SYSTEM protected files.

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Cloudflare	Warp

Configuration 1 [-]

cpe:2.3:a:cloudflare:warp:*:*:*:*:*:windows:*:*

References

Link	Resource
https://developers.cloudflare.com/warp-client/get-started/windows/	Product
https://github.com/cloudflare/advisories/security/advisories/GHSA-xmhj-9p83-xvw9	Vendor Advisory
https://install.appcenter.ms/orgs/cloudflare/apps/1.1.1.1-windows-1/distribution_groups/release	Release Notes

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: cloudflare

Published: 2023-04-06T09:42:33.513Z

Updated: 2023-04-06T09:48:14.685Z

Reserved: 2023-02-02T15:10:37.415Z

Link: CVE-2023-0652

JSON object: View

NVD Information

Status : Modified

Published: 2023-04-06T10:15:07.167

Modified: 2023-11-07T04:01:07.740

Link: CVE-2023-0652

JSON object: View

Redhat Information

No data.

CWE

CWE-59

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-0652", "assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513", "state": "PUBLISHED", "assignerShortName": "cloudflare", "dateReserved": "2023-02-02T15:10:37.415Z", "datePublished": "2023-04-06T09:42:33.513Z", "dateUpdated": "2023-04-06T09:48:14.685Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "modules": ["MSI"], "packageName": "WARP Installer", "platforms": ["Windows"], "product": "WARP", "vendor": "Cloudflare", "versions": [{"changes": [{"at": "2023.3.381.0", "status": "unaffected"}], "lessThanOrEqual": "2022.5.309.0", "status": "affected", "version": "0", "versionType": "N/A"}]}], "credits": [{"lang": "en", "type": "reporter", "user": "00000000-0000-4000-9000-000000000000", "value": "Jan-Luca Gruber"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<h3><span style=\"background-color: var(--wht);\">Due to a hardlink created in the ProgramData folder during the repair process of the software, the installer (MSI) of WARP Client for Windows (<= 2022.12.582.0) allowed a malicious attacker to forge the destination of the hardlink and escalate privileges, overwriting SYSTEM protected files.</span><br></h3><p>As Cloudflare WARP client for Windows (up to version 2022.5.309.0) allowed creation of mount points from its ProgramData folder, during installation of the WARP client, it was possible to escalate privileges and overwrite SYSTEM protected files.<br></p>"}], "value": "Due to a hardlink created in the ProgramData folder during the repair process of the software, the installer (MSI) of WARP Client for Windows (<= 2022.12.582.0) allowed a malicious attacker to forge the destination of the hardlink and escalate privileges, overwriting SYSTEM protected files.\nAs Cloudflare WARP client for Windows (up to version 2022.5.309.0) allowed creation of mount points from its ProgramData folder, during installation of the WARP client, it was possible to escalate privileges and overwrite SYSTEM protected files.\n\n\n"}], "impacts": [{"capecId": "CAPEC-233", "descriptions": [{"lang": "en", "value": "CAPEC-233 Privilege Escalation"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-59", "description": "CWE-59 Improper Link Resolution Before File Access ('Link Following')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513", "shortName": "cloudflare", "dateUpdated": "2023-04-06T09:48:14.685Z"}, "references": [{"url": "https://install.appcenter.ms/orgs/cloudflare/apps/1.1.1.1-windows-1/distribution_groups/release"}, {"url": "https://developers.cloudflare.com/warp-client/get-started/windows/"}, {"url": "https://github.com/cloudflare/advisories/security/advisories/GHSA-xmhj-9p83-xvw9"}], "source": {"discovery": "EXTERNAL"}, "title": "Local Privilege Escalation in Cloudflare WARP Installer (Windows)", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cloudflare:warp:*:*:*:*:*:windows:*:*", "matchCriteriaId": "B8FB60C0-986F-4205-9EE1-05C745FEF2AB", "versionEndExcluding": "2023.3.381.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Due to a hardlink created in the ProgramData folder during the repair process of the software, the installer (MSI) of WARP Client for Windows (<= 2022.12.582.0) allowed a malicious attacker to forge the destination of the hardlink and escalate privileges, overwriting SYSTEM protected files.\nAs Cloudflare WARP client for Windows (up to version 2022.5.309.0) allowed creation of mount points from its ProgramData folder, during installation of the WARP client, it was possible to escalate privileges and overwrite SYSTEM protected files.\n\n\n"}], "id": "CVE-2023-0652", "lastModified": "2023-11-07T04:01:07.740", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 5.9, "source": "cna@cloudflare.com", "type": "Secondary"}]}, "published": "2023-04-06T10:15:07.167", "references": [{"source": "cna@cloudflare.com", "tags": ["Product"], "url": "https://developers.cloudflare.com/warp-client/get-started/windows/"}, {"source": "cna@cloudflare.com", "tags": ["Vendor Advisory"], "url": "https://github.com/cloudflare/advisories/security/advisories/GHSA-xmhj-9p83-xvw9"}, {"source": "cna@cloudflare.com", "tags": ["Release Notes"], "url": "https://install.appcenter.ms/orgs/cloudflare/apps/1.1.1.1-windows-1/distribution_groups/release"}], "sourceIdentifier": "cna@cloudflare.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-59"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-59"}], "source": "cna@cloudflare.com", "type": "Secondary"}]}