File symlink abuse might lead to deleting files belonging to SYSTEM user

Vulnerability

An improper privilege management vulnerability exists in Cloudflare WARP on Windows prior to version 2024.12.492.0 [1]. A low-privilege user can create symbolic links inside the C:\ProgramData\Cloudflare\warp-diag-partials folder. When the 'Reset all settings' option is triggered, the WARP service (running with System privileges) follows these symlinks and deletes the target files, potentially removing files owned by the System user.

Exploitation

An attacker with low system privileges on a Windows host must have write access to the C:\ProgramData\Cloudflare\warp-diag-partials directory and the ability to create symlinks. The attacker first creates a set of symlinks in this folder pointing to arbitrary files. Then, they trigger the 'Reset all settings' option in the Cloudflare WARP client. The WARP service, which runs as SYSTEM, will traverse and delete the files referenced by those symlinks.

Impact

Successful exploitation allows the attacker to delete files owned by the System user, including critical system files or configuration data. This can lead to denial of service, system instability, or privilege escalation depending on the files targeted. The WARP service's SYSTEM-level privileges amplify the potential damage beyond what the low-privilege attacker could achieve on their own.

Mitigation

The vulnerability is fixed in Cloudflare WARP version 2024.12.492.0 and later [1]. Users should upgrade to at least this version. For systems running versions before the fix, no workaround is documented. Administrators should restrict write access to the warp-diag-partials folder or disable the 'Reset all settings' functionality until the update is applied.