- Revenera Community
- :
- InstallShield
- :
- InstallShield Knowledge Base
- :
- CVE-2021-41526: Privilege escalation vulnerability during MSI repair – for the MSI built with Instal...
- Mark as New
- Mark as Read
- Subscribe
- Printer Friendly Page
CVE-2021-41526: Privilege escalation vulnerability during MSI repair – for the MSI built with InstallScript custom action
CVE-2021-41526: Privilege escalation vulnerability during MSI repair – for the MSI built with InstallScript custom action
Summary:
A vulnerability has been reported in the windows installer (MSI) built with InstallScript custom action. This vulnerability may allow privilege escalation when invoked ‘repair’ of the MSI which has an InstallScript custom action.
Description:
During MSI repair, InstallScript custom actions, if configured in the project, will be executed by extracting the InstallScript engine files to a unique folder in the user’s TEMP directory and then executed.
InstallScript engine files contain an executable named ISBEW64.EXE, which will be executed during the InstallScript code execution. So, during MSI repair, a low privilege user can invoke the operation and attain privilege escalation to “NT Authority/SYSTEM” by replacing ISBEW64.EXE in the TEMP folder with a malicious one.
Microsoft released a patch for the Windows Installer elevation of Privilege (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1661), earlier this year. It is advised to apply this patch.
Resolution:
Privilege escalation during InstallScript custom action execution during MSI repair, has been fixed in InstallShield 2021 R2 release. You can download the release from your Product and License Center (PLC). Note: You must have a community login with PLC access to download this fix.
A hotfix is available for InstallShield 2020 R3 SP1 and InstallShield 2019 R3. You can download the hotfix here: InstallShield MSI Repair-Privilege Escalation Hotfix
Workaround:
1. Disable the repair option while building the MSI package.
2. Remove InstallScript custom actions or move to other type of custom actions.
Additional Information:
Thank you to Ronnie Salomonsen (Mandiant) for helping identify this vulnerability and disclosing it to Revenera under a responsible disclosure process.