Tamper-Protection Bypass × Zscaler Client Connector for Windows

A publicly-reported instance of Tamper-Protection Bypass bypassing Zscaler Client Connector for Windows, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Zscaler Client Connector for Windows

Technique

Tamper-Protection Bypass

MITRE ATT&CK

T1562.001

Confidence

High

Severity

Critical

Status

unknown

Disclosed

2024-04-30

Config / version noted

Yes

Provenance

www.sentinelone.com
disclosed 2024-04-30 · original source · via exa
securityvulnerability.io
disclosed 2024-04-30 · original source · via exa
www.linkedin.com
disclosed 2024-05-02 · original source · via exa

Reported as

CVE-2024-23463 is a TOCTOU race condition in Zscaler Client Connector for Windows that allows low-privileged attackers to bypass anti-tampering protections

Mechanism

A Time-of-Check Time-of-Use (TOCTOU) race condition in the Repair App functionality: a timing gap between the anti-tampering security check and the actual use of the protected resource allows an attacker to manipulate system state and bypass protections, potentially disabling or reconfiguring the Zscaler Client Connector agent.

Detection & mitigation

Monitor for unexpected termination or reconfiguration of Zscaler Client Connector processes, especially during repair operations. Use endpoint detection and response (EDR) telemetry to alert on suspicious process interactions or file modifications targeting Zscaler binaries and configuration files, and ensure the agent is updated to version 4.2.1 or later to remediate the vulnerability.

Tamper-Protection Bypass has also been recorded against

AppSealing Arxan BeyondTrust Broadcom (Symantec)Byfron CrowdStrike DANA Elastic FireEye Kemco LoGiC.NET McAfee

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.