CVE-2024-54131

Name of the Vulnerable Software and Affected Versions: Kolide Agent versions 1.5.3 through 1.12.2

Description: An implementation bug in the Kolide Agent allows for local privilege escalation to the SYSTEM user on Windows 10 and 11. The bug was introduced when the launcher started storing upgraded binaries in the ProgramData directory, resulting in incorrect default permissions. A malicious actor with access to the local Windows device can place an arbitrary DLL into the osqueryd process's search path, which may be executed when osqueryd performs a WMI query, allowing the attacker to escalate their privileges to SYSTEM.

Recommendations: For versions 1.5.3 through 1.12.2, update to version 1.12.3 to resolve the issue. As a temporary workaround, consider restricting access to the ProgramData directory to minimize the risk of exploitation. Avoid using the osqueryd process until the issue is resolved. Restrict the use of the launcher package until the update to version 1.12.3 is applied.