关键信息 Title: Kiosk Escape Privilege Escalation Product: One Identity Password Manager Secure Password Extension Vulnerable Version: <5.13.1 Fixed Version: 5.13.1 CVE Number: CVE-2023-48654 Impact: Critical Vendor Homepage: https://www.oneidentity.com/products/ Found Date: 09.10.2023 Authors: Stefan Schweighofer, Constantin Schieber-Knöbl (Office Vienna), Armin Weihbold (Office Linz) --- Vulnerability Overview Description: The Password Manager Extension from One Identity can be used to perform kiosk escapes on the lock screen of a Windows client, allowing an attacker to execute commands with SYSTEM permissions. Types of Vulnerability: 1. Password Manager Kiosk Escape with Google ReCAPTCHA (CVE-2023-48654) 2. Password Manager Kiosk Escape after Session Timeout Proof of Concept: An attacker can use a locked machine with the extension installed to launch a kiosk mode browser and escape its constraints using external links and browser features. Vulnerable/Tested Versions: 5.13 (all previous versions assumed affected) --- Solution & Workaround Vendor Solution: Patch version 5.13.1 is available for download from the vendor's support site. Workaround: None provided. --- Vendor Contact Timeline Contact with vendor from reporting the issue to releasing the patch. Final security advisory release on 2023-12-06. --- Advisory URL: https://sec-consult.com/vulnerability-lab/