What is privilege escalation?
Privilege escalation is an attack vector where an adversary gains unauthorized access through a vulnerability in software or hardware elevating the access and execution permissions to carry out further attacks. This top exploitation technique typically falls into two buckets: horizontal and vertical privilege escalation.
Horizontal privilege escalation is where an attacker seeks to increase their access to a system by taking over access rights of other users with similar privileges.
Vertical privilege escalation is when the attacker seeks to raise the privilege level of a process or user to system administrator or root access.
How does privilege escalation work?
Privilege escalation is a key part of any adversary’s toolkit and represents a critical inflection point for many attack chains. Adversaries usually search for weak spots in organizational defenses that allow initial entry or basic privileges through credential theft. Exploiting existing vulnerabilities enables further elevated privilege.
Both Windows and Linux are vulnerable to privilege escalation attacks.
Windows privilege escalation leverages token manipulation, Dynamic Link Library (DLL) hijacking, or user account control (UAC) bypass.
Linux system privilege escalation attacks include enumeration, kernel exploit, and using Sudo to gain root privileges.
Click the video for a quick tutorial
Key examples of privilege escalation:
Dirty Pipe (CVE-2022-0847)
Dirty Cow (CVE-2016-5195)
FabricScape (CVE-2022-30137)
Certified (CVE-2022-26923)
NimbusPwn (CVE-2022-29799 and CVE-2022-29800)
The impact of privilege escalation
On its own, privilege escalation can allow an attacker to gain admin or root level privileges so they can potentially see additional infrastructure to attack, add or delete users, or modify permissions of files or other users. These tactics can help the attacker destroy or steal data, gain access to additional systems or files, or create backdoor users for future attacks.
Often, the impact of privilege escalation does not originate from the direct vulnerability, but rather from what happens when it’s combined with a Remote Code Execution (or RCE) vulnerability.
Depending on the vulnerability targeted, attackers will be limited to the privileges of the target process to execute the code. Because of this, RCE is commonly paired with attempts to escalate privileges and gain control on an administrative or root level.
Elevated privilege can also allow attackers to more easily hide the attack. Even without more extraordinary privileges, the remote code execution vulnerability has the potential to cause serious harm.
How to mitigate Privilege Escalation vulnerabilities
The most effective way to mitigate or eliminate exposure to privilege escalation vulnerabilities is through regular security updates. Automox recommends that you take these four steps to effectively mitigate exposure to these vulnerabilities:
1. Stay up-to-date on the latest vulnerabilities
First, make sure you have robust vulnerability detection and scanning capabilities to identify, categorize and manage incoming vulnerabilities. Such vulnerabilities can include unsecured system configurations or missing patches, as well as other security-related updates in the systems connected to the enterprise network directly – remotely or in the cloud.
From Rapid7 and Tenable to Qualys, there are many powerful vulnerability scanning vendors to choose from. Make sure they’re integrated within your tech stack and work with your patch solution, such as Automox, to quickly take action against threats whether that’s a patch, a system reconfiguration, or the removal of vulnerable software.
2. Use a single solution for patching
When you have multiple OSes and third-party software installed across on-prem, remote, and devices in the cloud, you can see how the challenge of patching can quickly spiral. Often companies use several patching tools and ad-hoc manual workarounds to patch their environments, but adding more tools to a problem only compounds the issue.
To resolve this, we recommend keeping it simple with a single cloud-based solution that can address every endpoint, regardless of its OS or where it resides.
With a cloud-hosted platform, you can look forward to no maintenance or VPN requirements while eliminating unnecessary hardware investments and resources. This frees up your dollars and technicians’ cycles for more high-value work.
Support for Windows, macOS, and Linux can also offer the same seamless experience for all OS types. And that enables you to patch all devices in your clients’ environments – from a single pane of glass.
3. Keep an up-to-date inventory of assets
You can’t fix what you can’t see. As previously highlighted, more and more endpoints are either located in the cloud or using cloud services to access data. IT departments require visibility across their environment to accurately assess their security posture and risk level.
Find tools that promote endpoint visibility and support a single source of truth. The ability to see all of your servers and workstations in one dashboard reduces the time spent assessing patch status, improves your security position, and enables accurate reporting to executives and stakeholders.
4. Automate where you can
Automation won’t just keep your IT staff sane, but it will improve user productivity and maintain your organization's ability to pivot quickly in an ever-evolving environment.
From onboarding and de-provisioning users to patching devices across your multi-cloud environments or deploying software, automation holds the key to driving your dynamic cloud infrastructure forward.
Start your free trial now.
Get started with Automox in no time.
