G Data EndpointProtection Enterprise 17.08.2021 Privilege Escalation

`DATA Anti-Virus: Abusing OpenSSL to get local admin  
  
Metadata  
===================================================  
Release Date: 05-Oct-2021  
Author: Florian Bogner @ https://bee-itsecurity.at  
Affected product: G Data’s Security Client “EndpointProtection Enterprise”  
Fixed in: all versions after 17.08.2021  
Tested on: Windows 10 x64 fully patched  
URL: https://bogner.sh/2021/10/g-data-anti-virus-abusing-openssl-to-get-local-admin/  
Vulnerability Status: Fixed with new release  
  
Product Description  
===================================================  
The most sensitive areas of your systems are your employees’ workstations. Where attachments are opened, passwords are entered, and sensitive data is processed. The servers that make connections across the entire network. And smartphones that come and go with your employees every day. This is precisely where our endpoint security solutions protect your company assets. [https://www.gdata-software.com/business/endpoint-security]  
  
Vulnerability Description  
===================================================  
The underlying problem was, that the GdAgentSrv (which is running as SYSTEM) tried to load its OpenSSL configuration from the non-existing path C:\Jenkins\vcpkg-master\packages\openssl-windows_x86-141-static\openssl.cnf (newer versions load from C:\Jenkins\vcpkg-master\packages\openssl-windows_x86-static\openssl.cnf). This can be abused by any local user to load arbitrary libraries (DLLs) and execute untrusted code in the affected process. This leads to a privilege escalation from non-admin user to SYSTEM.  
  
For more information please visit: https://bogner.sh/2021/10/g-data-anti-virus-abusing-openssl-to-get-local-admin/  
  
Suggested Solution  
===================================================  
Users should update to the latest available version.  
  
Disclosure Timeline  
===================================================  
10.10.2019: The issue has been identified, documented and reported (ticket number CAS-730826-F7K4R9). No reply received.  
11.2020: The issue was communicated again to G Data’s Sales Team in Austria. After initial communication no further feedback.  
06.2021: The issues was abused during a security check to overtake another client’s infrastructure.  
14.06.2021: G DATA confirms the vulnerability. Public disclosure is planed for 15th September 2021  
17.08.2021: Fixed version is released to the public  
05.10.2021: Public disclosure  
  
___________  
  
Florian Bogner  
Information Security Expert, Speaker  
  
Bee IT Security Consulting GmbH  
Nibelungenstraße 37  
3123 A-Schweinern  
  
Tel: +43 660 123 9 454  
Mail: [email protected]  
Web: https://www.bee-itsecurity.at  
  
  
  
  
  
`