CVE-2021-41526

Vulnerability

A privilege escalation vulnerability exists in the Microsoft Windows installer (MSI) built with InstallScript custom action, affecting Flexera Revenera InstallShield for Windows prior to version 2021 R2. During an MSI repair operation, the InstallScript engine extracts its files, including ISBEW64.EXE, to a unique folder in the user’s TEMP directory. The engine then executes ISBEW64.EXE as part of the repair. The vulnerability lies in the predictable temporary folder location and the ability for a low-privilege user to access and modify files there during the repair window [1].

Exploitation

An attacker must be a local authenticated user on the target system. No special privileges are required. The exploitation involves invoking a repair of an affected MSI that has an InstallScript custom action configured. While the MSI repair runs, the attacker monitors the user’s TEMP directory for the folder created by the InstallScript engine. During the repair, before the legitimate ISBEW64.EXE is executed, the attacker replaces it with a malicious executable. The attacker then triggers or waits for the repair process to execute the replaced file, which runs with elevated privileges [1].

Impact

Successful exploitation grants the attacker full SYSTEM-level privileges on the Windows machine. This allows complete compromise of the affected system, including the ability to execute arbitrary code with the highest integrity level, install programs, create or modify accounts, and access any data on the system. The impact is rated High [1].

Mitigation

The vulnerability was fixed in Flexera Revenera InstallShield version 2021 R2, released on 17 December 2021. Users must update to version 2021 R2 or later to address the issue. No workaround is provided in the available references [1].