Full Report
Cato Network has a client application that allows access to access to resources from the Internet, cloud, SaaS or data center. The authors of this post looked into the application and found many bad bugs. The application contains a custom URI handler. One parameter for this is external_browser program on calls to Process.Start. Since this is user controllable, it can be used to start an arbitrary application. When specifying something like notepad.exe though, it cannot find the actual executable because of its search. Why? It's trying to open a URL in the browser and not a path with a URL parameter being passed in. Luckily for them, providing a %00 (NULL) removes the parameter in the call and opens up an arbitrary application. Process.Start cannot be used with parameters, sadly. However, an SMB share can house a malicious executable that we control! By setting this up and passing in the link, we have gotten RCE on the device. This same block of code can be hit from the authentication process as well. Besides the RCE, they found two local privilege escalation vulnerabilities. When loading up the program, it's searching (and not finding) an OpenSSL config. Since it cannot find it, an attacker can create the folder and set it themselves. The engines parameter can be used to dynamically load an arbitrary DLL into the process, giving SYSTEM level code execution once restarted. They found a method to trigger an exception and force a process restart to make this easier to do. The next privilege escalation bug had to do with folder permissions again. When downloading the client, it's executing from the /Windows/TEMP directory. The program tries to execute a non-existent process called msiexec.exe from this location. By writing a file with this name here, the authors got code execution within the context of system. Are we done? No! The CatoClient.exe process communicates via the high privileged process winvpnclient.cli.exe. The IPC handler for installing the root certificate was exposed but not used in the CatoClient process. So, simply submitting this command would add the certificate to the system, which is really bad. Sometimes, unused functions lay dormant and contain real issues! Overall, a fun series of bugs in the client. Windows hacking isn't my thing but the issues were explained well enough for me to understand still.
Analysis Summary
# Vulnerability: Multiple Critical Flaws in Cato Networks Windows Client
## CVE Details
- **CVE ID:**
- CVE-2024-6973 (Remote Code Execution)
- CVE-2024-6975 (LPE - OpenSSL Config)
- CVE-2024-6974 (LPE - Self-Upgrade)
- CVE-2024-6978 (Root Cert Install)
- CVE-2024-6977 (Account Takeover - Logs)
- **CVSS Score:** Up to 8.8 (High/Critical - estimated based on RCE and LPE impact)
- **CWE:** CWE-94 (Improper Control of Generation of Code), CWE-269 (Improper Privilege Management), CWE-427 (Uncontrolled Search Path Element)
## Affected Systems
- **Products:** Cato Client for Windows
- **Versions:** Windows Client versions prior to June 2024 updates
- **Configurations:** Systems running the Cato lightweight agent for Zero Trust access
## Vulnerability Description
Security researchers identified a chain of vulnerabilities ranging from remote execution to local privilege escalation (LPE):
1. **Remote Code Execution (CVE-2024-6973):** The application’s custom URI handler failed to sanitize the `external_browser` parameter used in `Process.Start`. By injecting a NULL byte (`%00`), an attacker could bypass parameter restrictions to execute arbitrary applications via SMB shares.
2. **LPE via OpenSSL (CVE-2024-6975):** The client searched for a non-existent OpenSSL configuration file in a user-writable directory. An attacker could place a malicious config file to load an arbitrary DLL (via the `engines` parameter) with SYSTEM privileges.
3. **LPE via Self-Upgrade (CVE-2024-6974):** During updates, the client executed from `C:\Windows\TEMP` and attempted to run a non-existent `msiexec.exe` in that directory. A low-privileged user could plant a malicious executable with that name.
4. **Improper IPC Access (CVE-2024-6978):** The high-privileged service `winvpnclient.cli.exe` exposed an unused IPC handler that allowed the installation of arbitrary root certificates without administrative consent.
5. **Sensitive Data in Logs (CVE-2024-6977):** The client logged sensitive SSO authentication data in plaintext trace logs.
## Exploitation
- **Status:** PoC developed by researchers; verified and patched.
- **Complexity:** Medium (Requires user interaction for RCE; local access for LPE).
- **Attack Vector:** Network (URI handler/Web) and Local (LPE).
## Impact
- **Confidentiality:** Total (Full device compromise and log data exposure).
- **Integrity:** Total (Ability to install root certificates and modify system files).
- **Availability:** Total (SYSTEM level code execution).
## Remediation
### Patches
- Cato Networks has released updated versions of the Windows Client. Most endpoints were automatically patched starting **June 3, 2024**.
- Users should ensure they are running the latest version of the Cato Client (v5.10.x or higher is recommended).
### Workarounds
- Restrict access to untrusted URI links.
- Disable outbound SMB (Port 445) to prevent the RCE vector from accessing remote malicious executables.
## Detection
- **Indicators of Compromise:**
- Creation of `msiexec.exe` or OpenSSL config files in `C:\Windows\Temp` or non-standard application directories.
- Presence of unexpected Root Certificates in the Windows Certificate Store.
- Unusual `CatoClient.exe` child processes (e.g., executing files from SMB shares).
- **Detection Methods:** Monitor for `Process.Start` events triggered by the `cato://` URI scheme.
## References
- **Vendor Advisory:** hxxps://securityadvisories[.]catonetworks[.]com
- **Original Research:** hxxps://blog[.]amberwolf[.]com/blog/2024/july/cve-2024-6973-cato-client-remote-code-execution-via-crafted-urls/
- **CVE Database:** hxxps://cve[.]mitre[.]org/cgi-bin/cvename[.]cgi?name=CVE-2024-6973