What is Privilege Escalation?

Privilege Escalation enables unauthorized access to sensitive systems, placing confidential data at risk. Learn why organizations must mitigate this critical vulnerability and what strategies are effective in keeping endpoints protected.

August 8 2024 by

Jesus Vigo

A person taking an elevator up to access the second-level bookshelf filled with information.

Introduction

No one ever said there’s no shortage of excitement in cybersecurity. And by excitement, we mean security threats to bring devices out of compliance, disrupt business operations and gain unauthorized access to networked systems and confidential data.

One such example as a result of a vulnerability, is called privilege escalation. In this blog, we:

  • Explain what privilege escalation is
  • Discuss the different types of privilege escalation
  • Help security pros and users understand its criticality
  • Give examples of recent vulnerabilities impacting Mac
  • Provide strategies to mitigate the risk of privilege escalation

What is Privilege Escalation?

According to the EC Council, privilege escalation is defined as “a cyberattack technique where an attacker gains unauthorized access to higher privileges.

In the context of cybersecurity, threat actors seek to elevate access permissions, often attempting to gain administrator-level access, or root to further their objectives by exploiting:

  • Security flaws
  • Weaknesses
  • Vulnerabilities

While the form in which the exploit occurs is most often software-based, it doesn’t always have to be. Avenues that are commonly exploited by threat actors to carry privilege escalation are:

  • Software bugs
  • Processes/workflow errors
  • Hardware design flaws
  • Human behaviors
  • System misconfigurations
  • Ineffective security controls

How are horizontal and vertical privilege escalation different?

There are two versions of privilege escalation. While similar, differences between how each achieves escalation of privileges result in their different uses by threat actors when carrying out attacks.

Vertical

The most common form of privilege escalation, vertical aims to elevate access from a lower level, or standard account to admin-level permissions or an administrator account.

Horizontal

Unlike its sibling above, this type of escalation doesn’t really elevate access to a higher level but rather aims to gain access to another account or process with a similar permission set. Also referred to as an account takeover.

Why is understanding privilege escalation important for security professionals and users?

For security professionals and users alike, the adage coined by Thomas Jefferson “Knowledge is power”, holds true for many cybersecurity threats — and privilege escalation is no different.

For the former, knowledge of privilege escalation attacks represents a serious threat to the security posture of impacted devices and to a greater extent the infrastructure itself. Furthermore, a key mitigation tactic (which we dive into further later on) to minimize the risk of privilege escalation is patch management.

On the user front, awareness of privilege escalation tactics can help to side-step falling victim to this attack.

Examples of privilege escalation vulnerabilities on Mac

20 years ago or so, the state of Apple security culture was best captured in a series of whimsical “I’m a Mac” commercials like the one below about viruses.

"I'm a Mac" commercial from 2006

Fast forward to the modern threat landscape and no platform is safe from malware threats — not even Apple.

As we’ve written about many times over, threat actors target the largest numbers possible with their attacks to inflict maximum damage for their efforts. Apple and mobile devices are two such targets that yield the types of installed user bases that attackers find too attractive to pass up.

Below are a few recent examples of privilege escalation vulnerabilities used to target Mac and iOS/iPad operating systems:

An app may be able to elevate privileges

Date: 03/05/2024

CVE: CVE-2024-23288

OS affected: iOS/iPadOS 17.5 and earlier

Severity: HIGH (for medium to large enterprises and governments)

Type of escalation: Vertical

An attacker may be able to elevate privileges

Date: 05/13/2024

CVE: CVE-2024-27796 and CVE-2023-42861

OS affected: iOS/iPadOS 17.4 and earlier; macOS 14.5 and earlier

Severity: HIGH (for medium to large enterprises and governments)

Type of escalation: Vertical and Horizontal

An app may be able to execute arbitrary code with kernel privileges

Date: 05/13/2024

CVE: CVE-2024-27842

OS affected: macOS 14.5 and earlier

Severity: HIGH (for medium to large enterprises and governments); LOW (for home users)

Best practices and strategies to protect against privilege escalation vulnerabilities

As with most threats and vulnerabilities in cybersecurity, careful planning, combined with the right controls and proper tooling helps IT/Security teams prevent known threats while minimizing the risk from unknown threats. Ultimately, enforcing compliance and reducing exposure by minimizing the attack surface to maintain a strong cybersecurity baseline.

Five ways to keep Apple endpoints protected against privilege escalation vulnerabilities are:

  1. Patch Management: Mobile Device Management (MDM) solutions help administrators to keep up-to-date with updates, as well as, deploy the latest versions of applications. Doing so ensures that vulnerabilities, like privilege escalation among others, are effectively neutralized before threat actors can move to exploit gaps in your security plan.
  2. Account Administration: Centrally managing cloud-based accounts allows admins to establish baselines for credential security across your infrastructure, such as password policies that limit the use of weak passwords or prevent the reuse of previously used ones.
  3. Device Health Telemetry: Understanding the current state of your endpoints is the first step toward ensuring compliance. Active monitoring allows IT/Security to make informed decisions based on real-time device health status, speeding up triage and incident response.
  4. Zero Trust Network Access (ZTNA): Supercharge identity and access by preventing access to protected resources by devices and credentials that have been compromised or exceed risk tolerance levels unique to your organization. Never trust — always verify.
  5. Policy-based Enforcement: Align compliance requirements with industry regulations and organizational needs. Customize policies in endpoint security and integrate them with MDM to trigger workflows to mitigate risk and remediate threats automatically.

Threat actors don’t limit themselves to just one type of attack.

Why should organizations be limited to one tool to protect their fleet?