ATTENTION: The Maintenance we previously slated to have happen this April 1st has been canceled:
While going through our preparations for the upcoming maintenance on Saturday April 1st, our team uncovered dependency on a system that needed to be updated. Due to this dependency, the team has decided to postpone the maintenance on our RMM Services until the dependency is resolved. We will notify partners again when the maintenance has been rescheduled with the new details.
While you are resolving this dependency please resolve the security flaw being installed on every SyncroMSP device with 3rd party patching enabled.
Chocolatey Version 0.11.3 is the version being deployed and it contains a security related bug
[Security] Unable to extract files from nupkg when different file name encoding is used · Issue #2816 · chocolatey/choco · GitHub
SyncroMSP should always be deploying the latest chocolatey version
I’m seeing 1.3.1 on our machines.
Well that is interesting.
Over on this thread it was reported to be 0.11.3. Maybe SyncroMSP has since updated it behind the scenes
Just to make sure we’re on the same page, you’re checking the properties on C:\Program Files\RepairTech\Syncro\kabuto_app_manager\choco.exe? I checked half a dozen and they’re all 0.11.3 or 0.11.2.
When I ran “C:\Program Files\RepairTech\Syncro\kabuto_app_manager\choco.exe” /? it came back as 1.3.1, same as just doing choco /?. I also downloaded it from the asset and properties also shows 1.3.1. I checked both older assets and newer assets and couldn’t find any old versions.
Sounds like my tenant or something I’ve done has borked all mine. This will be fun to figure out. I have a feeling support isn’t going to be very helpful with something like this 
The only other thing I do with choco is that I run the upgrade all daily, but I haven’t found any evidence that it would upgrade choco itself. I was going to see about finding a machine
I just installed it fresh and initially I noticed an older version of Choco that got pushed. It got renamed to choco.exe.old, the new version appeared and then that got deleted. I couldn’t get the version so I removed it and had it redo it and it was .11.2.0 that came down first, but then it updated right after to 1.3.1.
and shouldn’t have been. When installing a new agent on a fresh machine, I would expect that the agent is the most recent version, and all the components of the agent are the most recent version.
Furthermore if a component of the Agent (Chocolatey or anything else) hasn’t correctly updated to the latest version…at time of install or in the future…then there should/must be an alert/notification that bubbles up to the tech in some way.
Otherwise years could go by without anyone knowing that parts of an Agent install on an endpoint owned by a MSP or their clients have security vulnerabilities.
I agree, I just haven’t caught any older version and since choco isn’t a normal install, it’s not easy to audit either. I just sent this over to security@ to see if this can get fixed. Shouldn’t be hard to change it to install the latest version.
I did a little playing around, but just decided this is probably not worth my time and just added a line to upgrade syncro’s choco to my regular choco monitor script. Probably should be there just to make sure anyway. Referencing syncro’s choco directly upgraded from 0.11.3 to 1.3.1 without issue so I’m chocking it up to some conflict between the two installs.
&"C:\Program Files\RepairTech\Syncro\kabuto_app_manager\choco.exe" upgrade chocolatey -y
