CVE-2023-0975 Overview
A local privilege escalation vulnerability exists in Trellix Agent for Windows version 5.7.8 and earlier. During the install/upgrade workflow, local users can replace one of the Agent's executables before it can be executed. This race condition allows an attacker to elevate their permissions on the affected system, potentially gaining administrative or SYSTEM-level access.
Critical Impact
Local users can exploit the installation/upgrade process to achieve privilege escalation by replacing agent executables, potentially compromising the entire endpoint security infrastructure.
Affected Products
- Trellix Agent for Windows version 5.7.8 and earlier
- Microsoft Windows (all supported versions running affected Trellix Agent)
Discovery Timeline
- 2023-04-03 - CVE-2023-0975 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2023-0975
Vulnerability Analysis
This vulnerability is classified under CWE-281 (Improper Preservation of Permissions), which indicates that the Trellix Agent installer fails to properly maintain secure file permissions during the installation or upgrade workflow. The flaw creates a Time-of-Check Time-of-Use (TOCTOU) race condition window where an attacker can substitute a legitimate agent executable with a malicious one before the installer executes it with elevated privileges.
The attack requires local access to the target system and some user interaction (such as initiating or waiting for an agent upgrade). Once the malicious executable is placed in the installation path, it will be executed with the privileges of the Trellix Agent service, typically SYSTEM-level permissions.
Root Cause
The root cause of this vulnerability lies in improper permission handling during the Trellix Agent installation and upgrade workflow. The installer does not adequately protect the directory or executable files during the installation process, allowing a race condition where local users can modify or replace executables between the time they are written and when they are executed.
This type of vulnerability typically occurs when:
- Installation directories are created with overly permissive ACLs
- Executable files are written before proper permissions are applied
- The installation process lacks atomic operations or integrity verification
Attack Vector
The attack vector for CVE-2023-0975 is local, requiring an attacker to have existing access to the target Windows system. The exploitation scenario involves:
- The attacker monitors for Trellix Agent installation or upgrade operations
- During the vulnerable window, the attacker replaces a legitimate Trellix Agent executable with a malicious payload
- When the installer executes the replaced file with elevated privileges, the attacker's code runs with those same privileges
- The attacker gains escalated permissions, potentially achieving SYSTEM-level access
This vulnerability does not require authentication beyond existing local system access, though user interaction is required to trigger the installation or upgrade process. For detailed technical information, refer to the Trellix Security Advisory SB10396.
Detection Methods for CVE-2023-0975
Indicators of Compromise
- Unexpected file modifications in Trellix Agent installation directories during upgrade or install operations
- Unusual executable files or file hashes in C:\Program Files\Trellix\Agent\ or related directories
- Process execution anomalies where Trellix Agent services spawn unexpected child processes
- Windows Event Log entries indicating file replacements or permission changes in the agent installation path
Detection Strategies
- Monitor file integrity of Trellix Agent installation directories, especially during upgrade windows
- Implement behavioral detection for privilege escalation attempts following Trellix Agent installation events
- Enable Windows Security Event Logs (Event ID 4663, 4656) to track file system access to agent directories
- Deploy endpoint detection rules to identify executable replacements in security software directories
Monitoring Recommendations
- Configure file integrity monitoring (FIM) on Trellix Agent installation paths
- Alert on any non-Trellix-signed executables appearing in agent directories
- Monitor Windows Event Logs for suspicious process creation events with SYSTEM privileges following agent installations
- Review installation logs for unexpected file operations or timing anomalies
How to Mitigate CVE-2023-0975
Immediate Actions Required
- Update Trellix Agent for Windows to a version newer than 5.7.8 immediately
- Restrict local user access to systems where Trellix Agent is installed pending patching
- Verify integrity of existing Trellix Agent installations by comparing file hashes with known-good values
- Monitor for any suspicious activity on systems running vulnerable agent versions
Patch Information
Trellix has released a security update to address this vulnerability. Organizations should update to the latest version of Trellix Agent for Windows beyond version 5.7.8. Detailed patch information and download links are available in the Trellix Security Advisory SB10396.
Workarounds
- Limit local user access to systems running Trellix Agent until patching is complete
- Perform agent installations and upgrades only in controlled environments with restricted user sessions
- Implement strict access controls on agent installation directories using Windows NTFS permissions
- Schedule agent upgrades during maintenance windows when user activity is minimal
# Verify Trellix Agent version (PowerShell)
Get-WmiObject -Class Win32_Product | Where-Object { $_.Name -like "*Trellix Agent*" } | Select-Object Name, Version
# Restrict permissions on installation directory (run as Administrator)
icacls "C:\Program Files\Trellix\Agent" /inheritance:r /grant:r "SYSTEM:(OI)(CI)F" /grant:r "Administrators:(OI)(CI)F"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
