Threat actors have been observed exploiting a privilege escalation vulnerability on the Windows Backup and Restore service, CVE-2023-21752. According to security researchers at CloudSEK, the vulnerability allows a basic user to execute arbitrary code on a host to delete files from a specified storage path. This action is only doable by privileged users, and could be leveraged for privilege escalation on a host from basic user to system user, thus allowing account takeovers.
The vulnerability is triggered using the Race Condition between temporary file creation and deletion, which takes place following the authentication process. Windows hosts that follow irregular patch installations are subjected to risk, with threat actors potentially utilizing the exploit in the wild. The bare requirement is to have a local account on the targeted system.
CloudSEK spotted threat hackers discussing the vulnerability in a Russian-speaking cybercrime forum and on Telegram channels. "A brand new vulnerability was found on January 10 in the Windows Backup service," reads a Telegram post seen and shared by CloudSEK. "The vulnerability makes it easy to elevate privileges from the user level to [local privilege escalation]." 0patch also released a different fix for the flaw on January 31, noting that their micro patch is logically identical to Microsoft's, but to minimize its complexity and code size, they opted for a simpler naming of the temporary file. As 0patch's security researchers noted, this is to accommodate multiple backup processes using the same path at the same time, which is unlikely but not impossible.
"The bare requirement is to have a local account on the targeted system," said CloudSEK. "This is a serious vulnerability and should be addressed immediately."