CVE-2023-0652 - OpenCVE

Due to a hardlink created in the ProgramData folder during the repair process of the software, the installer (MSI) of WARP Client for Windows (<= 2022.12.582.0) allowed a malicious attacker to forge the destination of the hardlink and escalate privileges, overwriting SYSTEM protected files. As Cloudflare WARP client for Windows (up to version 2022.5.309.0) allowed creation of mount points from its ProgramData folder, during installation of the WARP client, it was possible to escalate privileges and overwrite SYSTEM protected files.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Cloudflare	Warp

Configuration 1 [-]

cpe:2.3:a:cloudflare:warp:*:*:*:*:*:windows:*:*

No data.

References

Link	Providers
https://developers.cloudflare.com/warp-client/get-started/windows/
https://github.com/cloudflare/advisories/security/advisories/GHSA-xmhj-9p83-xvw9
https://install.appcenter.ms/orgs/cloudflare/apps/1.1.1.1-windows-1/distribution_groups/release

History

No history.

MITRE

Status: PUBLISHED

Assigner: cloudflare

Published: 2023-04-06T09:42:33.513Z

Updated: 2024-08-02T05:17:50.356Z

Reserved: 2023-02-02T15:10:37.415Z

Link: CVE-2023-0652

Vulnrichment

No data.

NVD

Status : Modified

Published: 2023-04-06T10:15:07.167

Modified: 2023-11-07T04:01:07.740

Link: CVE-2023-0652

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-0652", "assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513", "state": "PUBLISHED", "assignerShortName": "cloudflare", "dateReserved": "2023-02-02T15:10:37.415Z", "datePublished": "2023-04-06T09:42:33.513Z", "dateUpdated": "2024-08-02T05:17:50.356Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "modules": ["MSI"], "packageName": "WARP Installer", "platforms": ["Windows"], "product": "WARP", "vendor": "Cloudflare", "versions": [{"changes": [{"at": "2023.3.381.0", "status": "unaffected"}], "lessThanOrEqual": "2022.5.309.0", "status": "affected", "version": "0", "versionType": "N/A"}]}], "credits": [{"lang": "en", "type": "reporter", "user": "00000000-0000-4000-9000-000000000000", "value": "Jan-Luca Gruber"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<h3><span style=\"background-color: var(--wht);\">Due to a hardlink created in the ProgramData folder during the repair process of the software, the installer (MSI) of WARP Client for Windows (<= 2022.12.582.0) allowed a malicious attacker to forge the destination of the hardlink and escalate privileges, overwriting SYSTEM protected files.</span><br></h3><p>As Cloudflare WARP client for Windows (up to version 2022.5.309.0) allowed creation of mount points from its ProgramData folder, during installation of the WARP client, it was possible to escalate privileges and overwrite SYSTEM protected files.<br></p>"}], "value": "Due to a hardlink created in the ProgramData folder during the repair process of the software, the installer (MSI) of WARP Client for Windows (<= 2022.12.582.0) allowed a malicious attacker to forge the destination of the hardlink and escalate privileges, overwriting SYSTEM protected files.\nAs Cloudflare WARP client for Windows (up to version 2022.5.309.0) allowed creation of mount points from its ProgramData folder, during installation of the WARP client, it was possible to escalate privileges and overwrite SYSTEM protected files.\n\n\n"}], "impacts": [{"capecId": "CAPEC-233", "descriptions": [{"lang": "en", "value": "CAPEC-233 Privilege Escalation"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-59", "description": "CWE-59 Improper Link Resolution Before File Access ('Link Following')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513", "shortName": "cloudflare", "dateUpdated": "2023-04-06T09:48:14.685Z"}, "references": [{"url": "https://install.appcenter.ms/orgs/cloudflare/apps/1.1.1.1-windows-1/distribution_groups/release"}, {"url": "https://developers.cloudflare.com/warp-client/get-started/windows/"}, {"url": "https://github.com/cloudflare/advisories/security/advisories/GHSA-xmhj-9p83-xvw9"}], "source": {"discovery": "EXTERNAL"}, "title": "Local Privilege Escalation in Cloudflare WARP Installer (Windows)", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T05:17:50.356Z"}, "title": "CVE Program Container", "references": [{"url": "https://install.appcenter.ms/orgs/cloudflare/apps/1.1.1.1-windows-1/distribution_groups/release", "tags": ["x_transferred"]}, {"url": "https://developers.cloudflare.com/warp-client/get-started/windows/", "tags": ["x_transferred"]}, {"url": "https://github.com/cloudflare/advisories/security/advisories/GHSA-xmhj-9p83-xvw9", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cloudflare:warp:*:*:*:*:*:windows:*:*", "matchCriteriaId": "B8FB60C0-986F-4205-9EE1-05C745FEF2AB", "versionEndExcluding": "2023.3.381.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Due to a hardlink created in the ProgramData folder during the repair process of the software, the installer (MSI) of WARP Client for Windows (<= 2022.12.582.0) allowed a malicious attacker to forge the destination of the hardlink and escalate privileges, overwriting SYSTEM protected files.\nAs Cloudflare WARP client for Windows (up to version 2022.5.309.0) allowed creation of mount points from its ProgramData folder, during installation of the WARP client, it was possible to escalate privileges and overwrite SYSTEM protected files.\n\n\n"}], "id": "CVE-2023-0652", "lastModified": "2023-11-07T04:01:07.740", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 5.9, "source": "cna@cloudflare.com", "type": "Secondary"}]}, "published": "2023-04-06T10:15:07.167", "references": [{"source": "cna@cloudflare.com", "tags": ["Product"], "url": "https://developers.cloudflare.com/warp-client/get-started/windows/"}, {"source": "cna@cloudflare.com", "tags": ["Vendor Advisory"], "url": "https://github.com/cloudflare/advisories/security/advisories/GHSA-xmhj-9p83-xvw9"}, {"source": "cna@cloudflare.com", "tags": ["Release Notes"], "url": "https://install.appcenter.ms/orgs/cloudflare/apps/1.1.1.1-windows-1/distribution_groups/release"}], "sourceIdentifier": "cna@cloudflare.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-59"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-59"}], "source": "cna@cloudflare.com", "type": "Secondary"}]}