MSI Installer Vulnerability Let Attackers Escalate Privileges with Windows Systems

A critical local privilege escalation vulnerability has been discovered in MSI Center versions 2.0.36.0 and earlier, allowing low-privileged users to escalate their privileges on Windows systems.

This security flaw, tracked as CVE-2024-37726, stems from insecure file operations performed by the MSI Center application running with NT AUTHORITY\SYSTEM privileges.

EHA

"Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!"- Free Demo

The vulnerability can be exploited through the following steps:

  1. A low-privileged user creates a directory and sets an OpLock on a file within it.
  2. The “Export System Info” function in MSI Center is used to trigger a file write operation on the OpLocked file.
  3. While the OpLock is in place, the user moves the original file and creates a junction to a target file.
  4. This allows the MSI Center application to overwrite or delete the target file with SYSTEM privileges.
privilege Escalated

Security researcher carsonchan12345 said that manipulating this process can allow an attacker to overwrite or delete critical system files, leading to a full system compromise.

The impact of this vulnerability is significant:

  • Attackers can arbitrarily overwrite or delete high-privileged and critical files on the system.
  • It’s possible to create and install programs without admin rights in locations accessible to low-privilege users.
  • Malicious payloads can be placed in startup locations, triggering when an administrator logs in.

MSI has addressed this vulnerability in version 2.0.38.0 of MSI Center, released on July 3, 2024. Users are strongly advised to update to this latest version to mitigate the risk.

This incident highlights the importance of proper file system access controls and the potential dangers of applications running with elevated privileges.

Organizations and individual users should prioritize updating affected systems and conduct thorough security audits to identify and address similar vulnerabilities.

How to Verify MSI Center Version

To verify if your MSI Center version is affected by this vulnerability, you should check the version number of your installed MSI Center application. The vulnerability affects MSI Center versions 2.0.36.0 and earlier. Here are the steps to check your version:

  1. Open MSI Center on your Windows system.
  2. Look for an “About” or “Information” section within the application, which typically displays the version number.
  3. If you can’t find the version number in the application interface, you can check it through Windows:
    • Open File Explorer
    • Navigate to the MSI Center installation folder (typically in Program Files)
    • Right-click on the main MSI Center executable file
    • Select “Properties”
    • Go to the “Details” tab
    • Look for the “Product version” field

If your MSI Center version is 2.0.36.0 or earlier, your system is potentially vulnerable. The vulnerability has been fixed in version 2.0.38.0, released on July 3, 2024. To ensure your system’s security:

  1. Update MSI Center to the latest version (2.0.38.0 or later) if available.
  2. If an update is not yet available, consider temporarily uninstalling or disabling MSI Center until an update is released.
  3. Monitor MSI’s official website or support channels for security advisories and updates.

Are you from SOC/DFIR Teams? - Sign up for a free ANY.RUN account! to Analyse Advanced Malware Files

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.