Impact
This only affects GLPI-Agent installed on windows via MSI packaging.
A local user can use this feature to:
- denial of agent service by replacing GLPI server url with a wrong url or disabling the service
- a local user can gain privilege escalation configuring a private server providing a malicious deploy task as a payload
Patches
Upgrade to GLPI-Agent 1.7.2
Workarounds
Disable MSI support by setting per-machine DisableMSI policy to 2: see https://learn.microsoft.com/en-us/windows/win32/msi/disablemsi
Locally you can add/edit HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer\DisableMSI as a DWORD value and set it to 2.
For more information
If you have any questions or comments about this advisory, mail us at glpi-security@ow2.org.
silhusk Reporter
Impact
This only affects GLPI-Agent installed on windows via MSI packaging.
A local user can use this feature to:
Patches
Upgrade to GLPI-Agent 1.7.2
Workarounds
Disable MSI support by setting per-machine
DisableMSIpolicy to2: see https://learn.microsoft.com/en-us/windows/win32/msi/disablemsiLocally you can add/edit
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer\DisableMSIas a DWORD value and set it to2.For more information
If you have any questions or comments about this advisory, mail us at glpi-security@ow2.org.