PT-2023-5216 · N Able · N-Able Take Control Agent
Andrew Oliveau
·
Published
2023-02-27
·
Updated
2023-09-14
·
CVE-2023-27470
CVSS v3.1
7.0
High
| Vector | AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
N-able Take Control Agent versions 7.0.41.1141 through 7.0.42
Description
The issue is related to a Time-of-Check to Time-of-Use (TOCTOU) race condition in the BASupSrvcUpdater.exe service, which can be exploited via a pseudo-symlink at %PROGRAMDATA%GetSupportService N-CentralPushUpdates. This can lead to arbitrary file deletion. The vulnerability may allow an attacker to gain access to read, modify, or delete files.
Recommendations
For versions 7.0.41.1141 through 7.0.42, update to version 7.0.43 or later to resolve the issue.
As a temporary workaround, consider restricting access to the %PROGRAMDATA%GetSupportService N-CentralPushUpdates directory to minimize the risk of exploitation.
Exploit
Fix
Race Condition
Time Of Check To Time Of Use
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
N-Able Take Control Agent