CVE-2022-35415 An input validation in NI SysConfigMgr prior to 22.5 may allow a privileged user to enable escalation of privilege via local access.

When configuring a task sequence to install Windows, an administrator may inadvertently allow local access to an application that is installed from a local source. An attacker may exploit this configuration to elevate privilege on the system. In the case of System Center Configuration Manager (ConfigMgr), the application that can be installed locally is Windows. As such, this issue may allow an attacker to install another operating system such as Linux or macOS and then potentially install a malicious application that may aid in privilege escalation. To be vulnerable to this issue, System Center Configuration Manager must be configured to install Windows from a remote location. In other words, ConfigMgr must be configured to not install Windows from a local source.

Windows: The Basics

ConfigMgr is a Windows-based system. As such, it installs applications such as Windows and Office from a local source due to default configuration settings. This issue may allow an attacker to install another operating system such as Linux or macOS and then potentially install a malicious application that may aid in privilege escalation.
In order to be vulnerable to this issue, ConfigMgr must be configured to not install Windows from a local source.

Microsoft Windows - CVE-2023-35416

Microsoft released a security bulletin to address a vulnerability in the Microsoft Windows operating system. The vulnerability is caused when an administrator configures a task sequence to install Windows from a local source, which can allow local users to execute arbitrary code on the system.
The vulnerability exists because of how System Center Configuration Manager interacts with Microsoft Windows and this configuration may allow local users to exploit it. To be vulnerable to this issue, System Center Configuration Manager must be configured to not install Windows from a local source.

Vulnerability

On System Center Configuration Manager-based systems, an administrator may inadvertently allow local access to an application that is installed from a local source. An attacker who can install a malicious application on the system and then elevate their privilege through this vulnerability may be able to compromise the system.
Since this vulnerability allows for a malicious application to gain elevated privilege, it could potentially be exploited by an attacker who then installs Linux or macOS. Since the malicious application has been installed with elevated privilege, it may then install a file that provides support for additional privilege escalation.

Steps to remediate CVE-2022-35415

1. In the ConfigMgr console, navigate to Administration > System Center Configuration Manager > Task Sequences.
2. Right-click on the task sequence and edit its properties
3. Ensure that "Install Windows" is unchecked and choose Apply.

Common Vulnerabilities and Exposures

CVE-2022-35415 is a vulnerability that allows an attacker to install another operating system such as Linux or macOS and then potentially install a malicious application that may aid in privilege escalation.

Timeline

Published on: 09/16/2022 03:15:00 UTC
Last modified on: 09/17/2022 02:36:00 UTC

References

• https://ni.com
• https://www.ni.com/en-us/support/documentation/supplemental/22/privilege-escalation-in-ni-configuration-manager-.html
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-35415