Fortra For Windows Vulnerability Let Attackers Escalate Privilege

Fortra’s Robot Schedule Enterprise Agent permits a low-privileged user to elevate privileges to the local system level. 

The problem arises from the agent’s failure to adequately secure its service executable, which an attacker can exploit by swapping out the executable for a malicious one.

As a result, the malicious code will run with elevated privileges when the service restarts, allowing unauthorized access to the system.

In versions of Fortra’s Robot Schedule Enterprise Agent for Windows prior to version 3.04, there is a vulnerability known as CVE-2024-0259 that allows a low-privileged user to overwrite the service executable with their own malicious code and also allows for enhanced privileges. 

It is also crucial since it gives the attacker considerable control over the system.

Upon service restart, the overwritten executable executes with local system privileges, giving the attacker escalated privileges on the system.

Secure your emails in a heartbeat! To find your ideal email security vendor, Take a Free 30-Second Assessment.

Privilege Escalation Vulnerability

An attacker with low privileges can exploit the vulnerability to gain complete control over the system. 

The agent’s service executable is vulnerable to overwriting, which is the source of the vulnerability.

An attacker can deceive the system into executing their code with the highest level of privileges (local system) when the service restarts by substituting a malicious executable for the original one, giving the attacker full access to all of the system’s resources. 

In Windows versions before 3.04, Fortra’s Robot Schedule Enterprise Agent is susceptible to privilege escalation. This vulnerability enables a user with low privileges to replace the service executable with malicious code. 

When the service restarts, the overwritten program runs with local system privileges, giving the attacker elevated access to the compromised system.

This vulnerability, which falls under CWE-276: Incorrect Default Permissions, underscores the significance of establishing suitable access controls for executables. 

Fortra’s Robot Schedule Enterprise Agent for Windows versions before 3.04 was found to have a critical privilege escalation vulnerability (CVE-2024-0259) on December 7th, 2023. 

The vulnerability has a high exploitability and potential impact, earning it a CVSSv3.1 score of 7.3.

An attacker with low privileges could use it to overwrite a legitimate service executable and then run arbitrary code with system privileges. 

Fortra released version 3.04 on March 20th, 2024, which addresses this vulnerability.

To mitigate the risk, system administrators should update all vulnerable agents to version 3.04 or higher as soon as possible. 

Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free