Advisories

Keep informed of topics that impact X_TRADER® trading environments. Visit the TT app's Message Center to access TT platform advisories.

Privilege escalation vulnerability in X_TRADER installation

Current versions of X_TRADER contain an installer with a privilege escalation vulnerability.  Executables that run as local system services are installed with insecure file permissions, allowing a non-privileged attacker to replace them with a malicious payload.  Exploitation requires the attacker to have authenticated access to the trading workstation’s filesystem.

 

TT is currently rebuilding the X_TRADER installation packages, and will release an updated installer that revokes write and delete access on the relevant executables next week (week of April 29th).  In the interim, see below for steps to manually remediate this vulnerability.

 

Due to this change, X_TRADER installation and updates now require Administrator privileges in all cases.  As a result, automated installation via TT Update is now deprecated.

 

Firms that repackage X_TRADER are encouraged to verify their own package prohibits write and delete access to these executables.

Manual remediation steps

Administrators may also address the vulnerability by removing write and delete access for all non-administrators on the Guardian and TT Messaging executables found under the X_TRADER installation root.  For example:

 

cd

cd Guardian

icacls *.exe /deny *S-1-5-7:(w,de) /deny *S-1-1-0:(w,de)

icacls *.dll /deny *S-1-5-7:(w,de) /deny *S-1-1-0:(w,de)

REM Windows still allows users to delete files if they have the DC

REM permission on the containing folder.  So we remove DC.

icacls . /deny *S-1-5-7:(dc) /deny *S-1-1-0:(dc)

REM Config subdirectory will now inherit the DC flag from its parent, which

REM breaks the product tables maintained by Guardian.  Add DC back to

REM the Config subdirectory.

icacls Config /grant *S-1-1-0:(dc)

cd ../ttm

icacls *.exe /deny *S-1-5-7:(w,de) /deny *S-1-1-0:(w,de)

icacls *.dll /deny *S-1-5-7:(w,de) /deny *S-1-1-0:(w,de)

icacls . /deny *S-1-5-7:(dc) /deny *S-1-1-0:(dc)

 

If you no longer wish to receive Customer Advisories, please Unsubscribe.