JumpCloud Remote Assist for Windows Privilege Escalation and Arbitrary File Manipulation Vulnerability

A vulnerability in JumpCloud Remote Assist for Windows, affecting versions prior to 0.317.0, allows local, low-privileged attackers to exploit the uninstaller process. The uninstaller, invoked by the JumpCloud Windows Agent as NT AUTHORITY\SYSTEM, performs privileged file operations in a user-writable %TEMP% subdirectory. It fails to validate the directory's trustworthiness or reset its access control lists, creating an opportunity for attackers to pre-create the directory with weak permissions. By leveraging mount-point or symbolic-link redirection, attackers can manipulate file writes to sensitive locations, causing denial-of-service by overwriting critical system files, or redirect file deletion operations to chosen targets, enabling unauthorized removal of files or folders and local privilege escalation to SYSTEM.

Impact

Exploitation of this vulnerability could lead to unauthorized file writes or deletions in protected system areas, causing potential disruption of essential services or loss of critical data. Additionally, it could allow attackers to escalate privileges to the SYSTEM level, gaining full control over the affected machine.

Remediation

Users can update to JumpCloud Remote Assist version 0.317.0 or later to address this vulnerability.