ITM Windows Agent Insecure Filesystem Permissions

Vulnerability

The Proofpoint Insider Threat Management (ITM) Agent for Windows, versions prior to 7.14.3, contains an insecure filesystem permissions vulnerability [1]. This allows local unprivileged users to interfere with the agent's event reporting and monitoring capabilities. Agents for macOS, Linux, and Cloud are unaffected [1].

Exploitation

An attacker needs only local access to the Windows machine with unprivileged user credentials [1]. No special privileges or user interaction beyond authentication is required. The vulnerability is exploited by modifying or accessing files in the agent's installation directory due to overly permissive access control lists (ACLs) (implied by the nature of insecure filesystem permissions) [1].

Impact

Successful exploitation can cause a denial of service (disruption of agent monitoring) with high availability impact, as per CVSS v3.1 score of 5.5 (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) [1]. The attacker cannot read, modify, or delete arbitrary data; they can only disrupt the agent's operation.

Mitigation

Proofpoint released the fixed version 7.14.3 of the ITM Windows Agent, available through the customer support portal [1]. All users should upgrade to 7.14.3 or later. No workarounds are provided in the reference, and the vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) as of the publication date.