Security Advisory

.

Insider Threat Management Windows Agent Remote Code Execution Vulnerability,
CVE-2020-8884

Advisory ID: PFPT-SA-2020-0002

The Proofpoint Insider Threat Management Windows Agent (formerly ObserveIT Windows Agent) prior to version 7.9 contains a vulnerability in the endpoint service "rcdsvc". The vulnerability allows a remote attacker with valid credentials on the Windows system to execute arbitrary code with the privileges of the Windows SYSTEM user. The vulnerability is caused by improper deserialization over named pipes. Agents for Mac and Linux are unaffected by this vulnerability.

Patch Information

All versions between 6.3 and 7.8.2 are affected by this vulnerability.

Proofpoint has released fixes in versions 7.4.2, 7.5.3, 7.6.4, 7.7.4, 7.8.3, and 7.9

The patched versions of the agent are now available through the customer support portal.

https://observeit.force.com/support/s/login

Severity

8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Acknowledgements

Proofpoint would like to thank Lee Christensen for their assistance.