CVE-2024-23772 is a vulnerability identified in Quest KACE Agent for Windows versions 12.0.38 and 13.1.23.0. The flaw resides in three key components: KSchedulerSvc.exe, KUserAlert.exe, and Runkbot.exe. These components improperly handle file creation operations, allowing a local attacker with limited privileges to create arbitrary files on the system with NT Authority\SYSTEM privileges. This is a classic example of an arbitrary file creation vulnerability (CWE-22), which can be leveraged for privilege escalation by placing malicious files or scripts that the system or other privileged processes might execute. The vulnerability does not require user interaction but does require the attacker to have local access with some privileges (low). The CVSS v3.1 base score is 6.6, indicating a medium severity level, with the vector indicating local attack vector (AV:L), low attack complexity (AC:L), privileges required (PR:L), no user interaction (UI:N), unchanged scope (S:U), high confidentiality impact (C:H), low integrity impact (I:L), and low availability impact (A:L). No patches or exploits are currently publicly available, but the vulnerability poses a significant risk due to the SYSTEM-level privileges that can be obtained. The affected software is typically used in enterprise environments for systems management, making the vulnerability relevant for organizations relying on Quest KACE for endpoint management.

The primary impact of CVE-2024-23772 is local privilege escalation, allowing an attacker with limited local access to gain SYSTEM-level privileges. This can lead to full system compromise, including unauthorized access to sensitive data (confidentiality impact), unauthorized modification of system files or configurations (integrity impact), and potential disruption of system operations (availability impact). Organizations using affected Quest KACE Agent versions in Windows environments are at risk of attackers leveraging this vulnerability to escalate privileges and move laterally within networks. This could facilitate further attacks such as deploying malware, establishing persistence, or exfiltrating data. Given the SYSTEM-level privileges granted, the attacker could disable security controls, manipulate logs, or install backdoors, significantly increasing the threat to enterprise environments. The lack of known exploits in the wild currently reduces immediate risk but does not eliminate the potential for future exploitation. The vulnerability's impact is especially critical in environments where local user accounts are shared or where endpoint security is less stringent.

1. Apply patches or updates from Quest as soon as they become available to address this vulnerability. 2. Until patches are released, restrict local access to systems running affected Quest KACE Agent versions by enforcing strict access control policies and limiting user privileges. 3. Monitor and audit local user activities on systems with Quest KACE Agent installed to detect any unauthorized file creation or suspicious behavior. 4. Implement application whitelisting and endpoint detection and response (EDR) solutions to detect and block attempts to exploit this vulnerability. 5. Harden the affected components by reviewing and restricting permissions on directories and files used by KSchedulerSvc.exe, KUserAlert.exe, and Runkbot.exe to prevent unauthorized file creation. 6. Educate system administrators and users about the risks of local privilege escalation and encourage the use of least privilege principles. 7. Regularly review and update security policies related to local user account management and endpoint security to reduce the attack surface.