CVE-2023-5964 - Arbitrary Code Execution in 1E End-User Interaction – What You Need to Know

A serious security flaw, identified as CVE-2023-5964, has been uncovered in the 1E End-User Interaction product pack—specifically within the 1E-Exchange-DisplayMessage instruction available on the 1E Exchange. If left unpatched, this vulnerability allows attackers to run arbitrary code as SYSTEM on Windows clients, potentially compromising the entire machine.

In this article, we’ll explain how this vulnerability works using simple language, walk you through an example, share how attackers might exploit it, and finally show you how to fix the issue. All of this is based on public details but presented here for easy understanding.

What Is 1E-Exchange-DisplayMessage?

1E is a popular endpoint automation platform, and the End-User Interaction product pack lets IT admins present messages or dialogs to users. The vulnerable instruction—Show dialogue with caption %Caption% and message %Message%—takes input from parameters and shows a dialog box on the user's computer.

How Does CVE-2023-5964 Work?

The DisplayMessage instruction does not validate the parameters “Caption” or “Message” properly. If an attacker can supply these values (for example, by tricking IT admins into running a compromised script, or if an attacker gets some access to the admin panel), they can inject code that gets executed by the Windows command interpreter.

Impact: If exploited, attackers can run any code they want with SYSTEM privileges, which is the highest level of access on Windows.

Let’s break down the process

1. Attacker creates a special string: Instead of a normal caption or message, the attacker puts in something malicious, such as command injection.
2. Instruction processes input: The vulnerable instruction runs and passes the unvalidated input to the system.

Suppose the instruction is called like this (pseudo code)

Invoke-1EInstruction -Name "1E-Exchange-DisplayMessage" -Parameters @{
    Caption = "Hello"
    Message = "Please click OK"
}

But an attacker could supply this

Invoke-1EInstruction -Name "1E-Exchange-DisplayMessage" -Parameters @{
    Caption = 'Hello& whoami > C:\hacked.txt &'
    Message = 'You have been hacked'
}

If your deployment engine doesn’t sanitize input, whoami > C:\hacked.txt runs as SYSTEM and writes the current user to a file. This is a simple example, but actual attacks could drop malware, add users, or open a remote shell.

Where to Find More Information

- 1E’s official Security Advisory (PDF)
- NVD entry for CVE-2023-5964
- 1E Exchange Documentation

Use this one instead.

Why is the new instruction safe?
1E fixed the input validation in the new instruction, which means it won’t allow parameter injection or arbitrary code execution.

Summary

CVE-2023-5964 is a critical vulnerability in 1E’s End-User Interaction instructions for Windows. If you use the old “DisplayMessage” instruction, your systems are at risk of SYSTEM-level compromise through arbitrary payload execution.

Action:

Update your packs and workflows to use the new, safe notification instruction.

If you want to check if you’re affected, look through your current instructions and automation flows in 1E. If you find the vulnerable DisplayMessage instruction, follow the steps above ASAP.

References

- 1E Official Security Advisory (PDF)
- NVD: CVE-2023-5964
- 1E Product Documentation


*Written exclusively for learning purposes — always use security knowledge responsibly.*

Timeline

Published on: 11/06/2023 13:15:10 UTC
Last modified on: 11/21/2023 18:15:09 UTC