Fix these critical vulnerabilities in Zscaler Client Connector

A significant privilege escalation vulnerability has been discovered in the Zscaler Client Connector, stemming from the combination of three distinct vulnerabilities.

According to cybersecuritynews, this flaw allows an attacker to elevate their privileges from a standard user to the high-privileged NT AUTHORITY\SYSTEM account on Windows.

The vulnerabilities involved CVE-2023-41972,  (Reverting password check), CVE-2023-41973 (Arbitrary code execution) and CVE-2023-41969 (Arbitrary file deletion).

Despite these vulnerabilities being individually considered would be profiled as low-level, their combination poses a substantial threat. Zscaler has addressed these issues in the latest versions of their Client Connector software. 

Zscaler has published a set of vulnerabilities that impact Zscaler Client Connector (ZCC) on Windows and macOS operating systems. They have also provided instructions for reversing Zscaler Client Connector to the Previous Version.

This chain of vulnerabilities underscores the critical importance of comprehensive security measures in client-server architectures. Authentication and authorization checks must be thorough and inputs rigorously sanitized to prevent such exploitation. 

Here’s what you need to know.  

What is Zscaler?

Zscaler is a prominent company in the enterprise cloud security sector, recognized for its VPN and Zero Trust network solutions. The Zscaler Client Connector is a desktop client designed to interface with Zscaler’s network tunnels. 

The application is composed of two primary processes: ZSATray and ZSATrayManager. 

ZSATrayManager operates with high privileges (as NT AUTHORITY\SYSTEM) and is responsible for critical tasks such as network management and configuration enforcement. 

ZSATray serves as the .NET Framework-based user interface. 

 

Technical analysis summary

Researchers, including Winston Ho and a colleague known as Spaceraccoon, delved into Windows RPC caller validation and bypassed several checks, including Authenticode verification, to chain these vulnerabilities together. 

Zscaler client connector architecture 

Zscaler is a prominent company in the enterprise cloud security sector, recognized for its VPN and Zero Trust network solutions. The Zscaler Client Connector is a desktop client designed to interface with Zscaler’s network tunnels.  

The Zscaler Client Connector application includes two main processes: ZSATray and ZSATrayManager. 

• ZSATrayManager operates as a service with NT AUTHORITY\SYSTEM, handling high-privileged tasks like network management, configuration enforcement, and updates. 
• ZSATray is the user-facing frontend application built on the .NET Framework. 

These processes communicate via Microsoft Remote Procedure Call (RPC). For instance, when a user initiates a log dump, ZSATray sends an RPC request to ZSATrayManager using the sendZSATrayManagerCommand method from ZSATrayHelper.dll, with serialized input data. 

public bool dumpLogs(ZSATrayManagerConfigDumpLog configData) => 

this.sendZSATrayManagerCommandHelper(ZSCALER_APP_RPC_COMMAND.DUMP_LOGS, (object) configData) == 0; 

  

private int sendZSATrayManagerCommandHelper(ZSCALER_APP_RPC_COMMAND commandCode, object configData = null) 

{ 

ZSATrayManagerCommand structure = new ZSATrayManagerCommand(); 

structure.commandCode = (int) commandCode; 

if (configData != null) 

structure.configJson = JsonConvert.SerializeObject(configData); 

IntPtr num1 = Marshal.AllocCoTaskMem(Marshal.SizeOf((object) structure)); 

Marshal.StructureToPtr((object) structure, num1, false); 

int num2 = NativeMethods.sendZSATrayManagerCommand(num1); ZSALogger.zsaLog("sendZSATrayManagerCommandHelper retVal: " + num2.ToString()); Marshal.FreeCoTaskMem(num1) 

return num2; 

} 

Bypassing RPC validation 

Zscaler implemented validation checks for RPC connections in IfCallbackFn to ensure calls are made from trusted processes: 

• Process ID (PID) Validation: Ensures the caller’s PID matches a process signed by Zscaler. 
• Caller Process Validation: Ensures the caller is either a high-privileged SYSTEM process or ZSATray.exe. 

These validations rely on a cache using a Fowler-Noll-Vo hash function (FNV-1a). By repeatedly killing and restarting the ZSATray process, an attacker can create numerous allowed PIDs.

They can then brute force a cached PID to make arbitrary RPC connections that bypass the validation checks. 

Process injection

Another method to bypass these checks is by injecting code into the user-owned ZSATray.exe process. This approach, though complex due to ZSATray being a .NET assembly, allows arbitrary code execution. 

DLL Hijacking via ZSAService to achieve arbitrary code execution

While DLL hijacking is not often considered a vulnerability, it can still prove effective when combined in specific scenarios like the one in this case. The quite simple DLL hijacking is elevated to serve as a tool for privilege escalation following two conditions: 

1. A more privileged process than that of the attacker is executing the process being hijacked, allowing for a breach of security boundaries. 
2. No additional privileges are required to execute the attack due to The DLL hijack path being located in a low-privileged, attacker-writable directory. 

One of the vulnerabilities lies in the ZScaler Client Connector binaries, specifically ZSAService, susceptible to DLL hijacking due to its search path initiating from the current directory.

A potential target for hijacking is userenv.dll, presenting a direct and exploitable DLL hijacking scenario that can be utilized with various available DLL hijacking payload templates. 

“By compiling this as a DLL and placing the DLL (renamed to userenv.dll) in the same directory as ZSAService.exe, launching ZSAService.exe will cause the arbitrary commands in the malicious userenv.dll to be executed.” researchers Ho and Spaceraccoon said. 

“Thus, the final link in our chain was complete: 

1. Attacker brute forces cached PIDs to make RPC calls to ZSATrayManager. 
2. Attacker bypasses password protection for the PERFORM_APP_REVERT function. 
3. Attacker sends path traversal payload in previousInstallerName argument. 
4. ZSATrayManager executes DLL-hijacked ZSAService.exe that passes the Authenticode check. 
5. Hijack DLL causes the attacker’s commands to be executed as NT AUTHORITY\SYSTEM. 
6. Pwned! 

 

The attack exploitation chain CVE-2023-41972, CVE-2023-41973 and CVE-2023-41969

What is CVE-2023-41972? 

CVE-2023-41972 Is a Revert Password Check Incorrect Type Validation Vulnerability. After bypassing RPC validation, researchers explored RPC functions that could be exploited for privilege escalation.

The PERFORM_APP_REVERT function reverts Zscaler Client Connector to a previous version but fails to check if pwdType matches

PASSWORD_TYPE.ZCC_REVERT_PWD. 

The function also takes in previousInstallerName, pwdType, and password as parameters. Nevertheless, it will only proceed with execution if the correct password is supplied. 

Upon further examination, it was discovered that ZSATrayManager doesn’t verify whether pwdType matches PASSWORD_TYPE.ZCC_REVERT_PWD. This implies that the password verification function will accept any pwdType provided via the RPC. 

Therefore, it’s possible to bypass this function by setting pwdType in the RPC to SHOW_ADVANCED_SETTINGS. This oversight allows an attacker to bypass the password check by setting pwdType to an alternative value like SHOW_ADVANCED_SETTINGS.

case 90 : // PERFORM_APP_REVERT 

   v66 = sub_1400949C0(v294, (__int64)v371); 

   If ( (unsigned __int8)PasswordCheck(v67, pwdType, v66, 1) ) 

 
case 6u: 
sub_14025D9B0(a1); 
  LOBYTE(isCorrectPassword) = 0; 
  if ( passwordConfigured ) 
  { 
    ... 
  } 
  else 
  { 
    v8::internal::wasm::ErrorThrower::CompileError( 
    (v8::internal::wasm::ErrorThrower *)&LogHandle, 
    "Skip password check --- ZAD is not enabled"); // Password check passes since isCorrectPassword is still 0 
  } 

What is CVE-2023-41973?

CVE-2023-41973 is a Lack of Input Sanitization due to the PERFORM_APP_REVERT function which also accepts previousInstallerName, appended to C:\Program Files\ZScaler\RevertZcc. An attacker can use a path traversal string to execute their payload: 

if CertCompareIntegerBlob(&v19, (PCRYPT_INTEGER_BLOB)(v6 + 24)) ) 

{ 

initString(v28, "92c1588e85af2201ce7915e8538b492f605b80c6", 0x28ui64); 

initString(v26, "83fe2a3586d483fd75c0b0abdb89697a56ad0b41", 0x28ui64); 

if ( (unsigned __int8)validateSignerAndIssuerThumbprints(v26, v28, a2) ) 

        { 

LogInfo(&LogHandle, 1i64, "Signer matches Zscaler SHA2 02/28/2018”); 

         } 

} 

What is CVE-2023-41969?

CVE-2023-41969 is an arbitrary file deletion vulnerability discovered by researcher Winston Ho’s, which in his research identified its existence in ZSATrayManager, further contributing to the privilege escalation chain.

 

Has the vulnerability been exploited the wild? 

According to its advisory, Zscaler has not observed any malicious exploitation attempts for these vulnerabilities at this time. 

 

How to fix the vulnerabilities

The most current versions for ZCC for Windows and macOS are as follows: 

• Windows v4.3.0.190 (released on March 21, 2024)  
• Windows v4.4.0.276 (released on March 18, 2024 – Limited Availability)  
• macOS is v4.2.0.262 (released on March 08, 2024)  

The affected versions include ZCC for macOS and ZCC for Windows only. The following ZCC operating systems are NOT affected: Android, Chrome OS, iOS, & Linux. 

Next steps

Each new vulnerability is a reminder of where we stand and what we need to do better. Check out the following resources to help you maintain cyber hygiene and stay ahead of the threat actors: 

1. 2023 Vulnerability watch reports 
2. The MITRE ATT&CK framework: Getting started
3. The true impact of exploitable vulnerabilities for 2024
4. Multi-cloud security challenges – a best practice guide
5. How to properly tackle zero-day threats