Zscaler – Bypass Tamper Protection

Title Zscaler – Bypass Tamper Protection
Discovery date 08/11/2021
Release date 04/11/2022
Credits Almaviva Cyber Defence Threat Center
Affected products Zscaler Client Connector
Class Bypass business logic

Disclosure timeline

08/11/2021 First report of vulnerability to zscaler
11/10/2022 Second report of vulnerability to zscaler
04/11/2022 Request for CVE ID (Not Assigned)
10/11/2022 JCV-2022.11.10.01 released

Vulnerability details

This vulnerability allows the user to rename the system folders of the Zscaler Client Connector, bypassing the password request throughout the phase of the agent removal.

Inside the product’s folder, that by default is C:\Program Files (x86)\Zscaler, you can find the ZSAService folder. By modifying said folder, ZScaler will not be able to function, de facto disabling its protection.

When Zscaler is not running, it is possible to remove the Agent via the following process:

Control Panel > Programs and Functionalities > Zscaler > Uninstall/Change

At this point, the Tamper Protection password is required:

However, since the ZScaler Client does not retrieve anymore the ZSAService.exe, that was available in the ZSAService folder, it will just be sufficient to press OK, close the window or just insert whatever word in the field needed to actuate the removal.

The same result can be obtained even by changing the name of ZSAService.exe.

Questo elemento è stato inserito in JCV. Aggiungilo ai segnalibri.