SCHUTZWERK-SA-2024-001: Privilege Escalation via Service Binary Hijacking in Vivavis HIGH-LEIT (CVE-2024-38456)
2024-9-3 10:16:24 Author: seclists.org(查看原文) 阅读量:11 收藏
fulldisclosure logo

Full Disclosure mailing list archives

From: David Brown via Fulldisclosure <fulldisclosure () seclists org>
Date: Mon, 2 Sep 2024 16:08:34 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Title
=====
SCHUTZWERK-SA-2024-001: Privilege Escalation via Service Binary Hijacking in Vivavis HIGH-LEIT 

Status
======

PUBLISHED

Version
=======

1.0

CVE reference
=============

CVE-2024-38456

Link
====

https://www.schutzwerk.com/advisories/schutzwerk-sa-2024-001/

Text-only version:
https://www.schutzwerk.com/advisories/SCHUTZWERK-SA-2024-001.txt

Affected products/vendor
========================
HIGH-LEIT by VIVAVIS AG[0]. Version 4 and 5 are different product lines, both are affected: 

HIGH-LEIT 4 Version 4.25.00.00 to 4.25.01.01 (patch available)
HIGH-LEIT 5 Version = 5.08.01.03 (no patch available, planned for 31.10.2024) 

Summary
=======
HIGH-LEIT is a scalable SCADA network control system designed for infrastructure applications in the energy, water supply, wastewater, and environmental sectors, as well as associated utilities and industrial applications. HIGH-LEIT is used for operational networks in critical infrastructure. The Windows services "HL-InstallService-hlnt" for HIGH-LEIT Version 4 and "HL-InstallService-hlxw" for Version 5 allow for an authenticated attackers in the Active Directory group "HL-TS-Gruppe" to escalate their privileges to local system. 

Risk
====
The vulnerability allows attackers to execute arbitrary code as local system on systems where the "HL-InstallService-hlxw" or "HL-InstallService-hlnt" Windows service is running. Authentication is necessary for successful exploitation. The execution of the exploit is trivial and might affect other systems if the applications folder is shared between multiple systems in which case the vulnerability can be used for lateral movement. 

Description
===========
During a penetration test, SCHUTZWERK tested a terminal server part of an internal OT Network. The software HIGH-LEIT 5 was found to be installed on this terminal server.
HIGH-LEIT 5 has a windows service named "HL-InstallService-hlxw", that runs as local system with start mode "autostart". By default, for affected versions, the executable "D:\hlxw\update\bin\prunsrv.exe" is modifiable by the Active Directory group "HL-TS-Gruppe". The granted modify permission on "D:\hlxw\update\bin\prunsrv.exe" is inherited from the modify permission on the folder "D:\hlxw". The Active Directory group "HL-TS-Gruppe" is needed for every user interacting with the HIGH-LEIT software. This means this exploit is available from any HIGH-LEIT user with low privileges (e.g. auditors with read-only permissions). The user can modify the executable "prunsrv.exe" and wait for or force a system reboot. Afterwards the modified "prunsrv.exe" is executed as local system on the server. 

Solution/Mitigation
===================

For HIGH-LEIT Version 4:
- - Update to version 4.25.01.02 or newer, or
- - apply the vendors workaround via GPO to mitigate the vulnerability, or
- - manually remove the modify permission of the Active Directory group "HL-TS-Gruppe" on the folder "D:\hlnt". 

For HIGH-LEIT Version 5:
- - Update to version 5.8.01.04 (release planned for 31.10.24), or
- - apply the vendors workaround via GPO to mitigate the vulnerability, or
- - manually remove the modify permission of the Active Directory group "HL-TS-Gruppe" on the folder "D:\hlxw". 

Disclosure timeline
===================

2024-05-14: Vulnerability discovered
2024-05-14: Vulnerability reported and presented to affected customer
2024-05-16: Vulnerability presented to vendor
2024-05-16: Vulnerability details reported to vendor
2024-05-17: Vendor started working on patch
2024-05-22: Vendor started deploying workaround to customers
2024-06-05: Green light from customer for Advisory
2024-06-13: Patch for HIGH-LEIT 4 finished
2024-06-13: Meeting with vendor to plan disclosure/patch release
2024-06-14: CVE-2024-38456 reserved
2024-08-16: Vendor finished deployment of patch/workaround for all affected customers 
2024-08-16: Meeting with vendor to plan disclosure
2024-08-23: Meeting with vendor to plan disclosure
2024-09-02: Disclosure by SCHUTZWERK
2024-09-02: Disclosure by vendor at https://www.vivavis.com/service/it-security-bulletin/ 

Contact/Credits
===============
The vulnerability was discovered during an assessment by Lukas Krieg (lkrieg () schutzwerk com) of SCHUTZWERK GmbH. 

References
==========

[0] https://www.vivavis.com/loesung/leittechnik/high-leit/
[1] https://www.vivavis.com/service/it-security-bulletin/

Disclaimer
==========
The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The most recent version of this security advisory can be found at SCHUTZWERK GmbH's website ( https://www.schutzwerk.com ). 

SCHUTZWERK Advisories: https://www.schutzwerk.com/blog/tags/advisories/

SCHUTZWERK Advisory Policy: https://www.schutzwerk.com/en/advisories/
-----BEGIN PGP SIGNATURE-----

iQJOBAEBCgA4FiEEgLsg7Oj/wY3LSF87GrXfkTIXLrsFAmbVfC0aHGFkdmlzb3Jp
ZXNAc2NodXR6d2Vyay5jb20ACgkQGrXfkTIXLrvLwhAAmq8ALbZdWarhHZGgPAMJ
5mU/24qCCY5M3roi4zBv9GFzSbJVF4TdgpceOkyrCYHtTZWGEYdc8ewd6DLarweH
Kcj+KyCA6JIbb94E2CVrDAXgpjJWsvG1CSvHax+erG/FppEk/ud9t+DJhCSVbkMT
KeqTz1G02tpKnHVgd2ogVF9ydJVdEcV4QJD/tkUfQukWomIGNRt+JNoxcCv362H1
fk3uVghrXxWeo3P0oDvWg4S2+3IEZPPtW1PCqfo9SFO2Ll7xF/2015Hl1Sn0TOAA
y4JJqDNOwIN5hIP6JvIs+W6uLLU3IGFUEWg1CiplOY3CC1kfEorQtvsDamNq9QWF
2r6CaWNN2FYpHkiEygYJsnn8Z3vzqqQQnaym2mwlsxe0ggutADCg2FbkybqTUF+D
fUGoQjaq7eojUTGS7fgNlOUua2euImjv9NMpzg00yMb6os6P+HetT+fv2G67TLKS
ptqQ73H+On4h2DP/DPkF1q7hBBZtT1I2Xx6er65AtSKjwOsLBOWSR1BNW+QJ/D56
pPhYHR+lVakHO/TMzILys5dPSXY3TU1iX0XpgvddIqONgViMR54a5MV/Vv1lL9xb
qEcGtqtX84cg74vQuwUbl69pP+69Y+ACDoBdaemRex1tjR6seFBI27XRsn+E8a+a
kQGdwKyB2qT0UNuLyFhcVi4=
=3K1g
-----END PGP SIGNATURE-----
--
SCHUTZWERK GmbH, Pfarrer-Weiß-Weg 12, 89077 Ulm, Germany
Zertifiziert / Certified ISO 27001, 9001 and TISAX

Phone +49 731 977 191 0

advisories () schutzwerk com / www.schutzwerk.com

Geschäftsführer / Managing Directors:
Jakob Pietzka, Michael Schäfer

Amtsgericht Ulm /  HRB 727391
Datenschutz / Data Protection www.schutzwerk.com/datenschutz

Attachment: OpenPGP_0x1AB5DF9132172EBB.asc
Description: OpenPGP public key

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Current thread:

  • SCHUTZWERK-SA-2024-001: Privilege Escalation via Service Binary Hijacking in Vivavis HIGH-LEIT (CVE-2024-38456) David Brown via Fulldisclosure (Sep 02)

文章来源: https://seclists.org/fulldisclosure/2024/Sep/0
如有侵权请联系:admin#unsafe.sh