Technical Tip: JAZZ-194: Agent launches browser as an elevated user

Release Date:

17th June, 2019

Overview:

Jazz Windows Agents launch the default browser with elevated privileges when displaying a Message action with a URL for the user to follow.

Affected Products:

• Jazz Windows Agents 3.0.0 - 3.2.2 inclusive.

Unaffected Products:

• Jazz Agents on other platforms, and Windows Agents from 4.0.0 and above.

Resolution:

This issue is now fixed in Jazz Agent 4.0.0.

It is recommended that all customers upgrade their agents to the latest release. If it is not possible to upgrade then operators are advised to avoid issuing Message actions to Jazz Agents with a URL. Without a URL in the action parameters, the Jazz Agent will not launch the browser.

Vulnerability Information:

JAZZ-194 allows a program to be launched with elevated privileges. If a default browser has been configured by the user of the machine then the browser will be run, otherwise, Windows will prompt the user to ask them which program they would like to use to follow the URL contained in the Message action.

• CVE: pending.
• CVSSv3 score: 8.6.
• CVSS vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:P/RL:W/RC:C/CR:H/IR:H/AR:H

This issue is mitigated by not issuing Message actions with a valid URL to affected Jazz Agents.

Acknowledgments:

Issue found internally by Jazz Networks.

Disclosure Timeline:

• 15/05/2019 Issue found internally by Jazz Networks.
• 15/05/2019 Root cause established.
• 20/05/2019 Fix identified.
• 17/06/2019 Patched Jazz Agent released.
• 17/06/2019 Vulnerability publicly disclosed.