Versa SASE Client for Windows Local Privilege Escalation Vulnerability

A local privilege escalation vulnerability has been identified in the Versa SASE Client for Windows, specifically in versions 7.8.7 prior to 7.9.4. This vulnerability arises in the audit log export feature, where user-controlled file paths are sent to a privileged service that performs file system operations without proper user impersonation. This flaw, combined with a time-of-check time-of-use race condition and manipulation of symbolic links and mount points, allows a local authenticated attacker to trick the service into deleting arbitrary directories with SYSTEM privileges. Exploitation of this vulnerability could involve removing protected system folders, such as C:\Config.msi, and subsequently executing code as NT AUTHORITY\SYSTEM using MSI rollback techniques.

Impact

Exploitation of this vulnerability allows for arbitrary folder deletion with SYSTEM-level privileges, leading to unauthorized execution as NT AUTHORITY\SYSTEM.

Remediation

Users can update to Versa SASE Client for Windows version 7.9.5 or later, where this vulnerability has been addressed. For versions prior to 7.9.5, the audit log export functionality now operates strictly within the user context, preventing any actions from being executed with elevated privileges. Enhanced validation has also been implemented to ensure only valid file formats are processed, blocking I/O operations on unexpected or malicious file types.