CVE-2023-50441

Vulnerability

An unauthenticated attacker can modify encrypted folders created by PRIMX ZONECENTRAL for Windows before Q.2021.2 (ANSSI qualification submission) or before version 2023.5. The attacker can include a UNC reference in the folder metadata, causing the folder to attempt a network connection when opened. Affected versions include ZONECENTRAL for Windows prior to 2023.5, including Q.2021.1 [2].

Exploitation

The attacker must be able to modify an encrypted folder, which does not require authentication according to the description. The attack requires adjacent network access (same network segment) and high attack complexity, as per the CVSS vector. No user interaction is needed beyond the legitimate user opening the modified folder. When the folder is opened, the embedded UNC path triggers an outbound SMB connection, potentially resulting in an NTLM authentication request to an attacker-controlled server [2].

Impact

Successful exploitation allows the attacker to capture user credentials (NTLM hashes) from the authentication request, leading to information disclosure with high confidentiality impact. The attacker may obtain user privileges and potentially use the credentials for further attacks. Integrity and availability are not affected [2].

Mitigation

Upgrade to ZONECENTRAL for Windows version Q.2021.2 (validated by ANSSI) or version 2023.5. These versions fix the vulnerability. For assistance, contact support@primx.eu. No workarounds are documented [2].