CVE-2024-3310: Privilege Escalation Vulnerability During MSI Repair
CVE-2024-3310: Privilege Escalation Vulnerability During MSI Repair
Summary
A vulnerability has been reported in the Basic MSI and InstallScript MSI (64-bit) Setups if configured with the options below:
The project has Folder and Registry Permissions configured using 'Locked-Down Permissions' option set to 'Custom InstallShield handling'
The Self-register option is configured with 'InstallShield Self-Registration table (ISSelfReg)'
Note: All supported versions (InstallShield 2023 R2, InstallShield 2022 R2 and InstallShield 2021 R2) are affected by this issue.
This article provides details about this potential vulnerability and the remediation steps available.
Description
There is known issue with Windows installer repair that allows a standard user to run MSI repair operations (performed by deferred CA) in NT AUTHORITY\SYSTEM context without requiring administrator credentials. This exploitable nature of MSI repair can present a potential security risk if the file operations from the deferred custom actions are not properly protected from standard user access.
If custom handling option is configured, InstallShield extracts an executable named ISBEW64.exe to the writable TEMP folder, which is used to perform additional tasks like setting file and registry permissions and self-registration of COM servers. This misconfiguration of extracting an executable file to a writable folder along with the MSI repair exploitable behavior could potentially lead to a local privilege escalation by replacing ISBEW64.EXE with a malicious one.
Workaround
The following workaround options are available to remediate this issue:
