Zscaler – Bypass Disable Service

Title Zscaler – Bypass Disable Service
Discovery date 08/11/2021
Release date 04/11/2022
Credits Almaviva Cyber Defence Threat Center
Affected products Zscaler Client Connector
Class Bypass business logic

Disclosure timeline

08/11/2021 First report of vulnerability to zscaler
11/10/2022 Second report of vulnerability to zscaler
04/11/2022 Request for CVE ID (Not Assigned)
10/11/2022 JCV-2022.11.10.02 released

Vulnerability details

This vulnerability allows the user to rename the system folders of the Zscaler Client Connector, blocking the services’ restart, configuring the agent in Turn Off and to navigate the web while avoiding the requests’ redirect through the protected tunnel.

Inside the product’s folder, that by default is C:\Program Files (x86)\Zscaler, you can find the ZSAService folder. By modifying said folder, ZScaler will not be able to function, de facto disabling its protection.

By accessing the ZScaler Client Connector interface and going on the “More” menu, you can force a restart of the services via “Restart Service”. The agent will try to restart it, but it will inevitably fail:

Not capable of repristinating the necessary services, the ZScaler Agent will be set to OFF, not allowing the ZScaler Internet Access manager to detect anomalies.

Questo elemento è stato inserito in JCV. Aggiungilo ai segnalibri.