-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Title ===== SCHUTZWERK-SA-2024-001: Privilege Escalation via Service Binary Hijacking in Vivavis HIGH-LEIT Status ====== PUBLISHED Version ======= 1.0 CVE reference ============= CVE-2024-38456 Link ==== https://www.schutzwerk.com/advisories/schutzwerk-sa-2024-001/ Text-only version: https://www.schutzwerk.com/advisories/SCHUTZWERK-SA-2024-001.txt Affected products/vendor ======================== HIGH-LEIT by VIVAVIS AG[0]. Version 4 and 5 are different product lines, both are affected: HIGH-LEIT 4 Version 4.25.00.00 to 4.25.01.01 (patch available) HIGH-LEIT 5 Version = 5.08.01.03 (no patch available, planned for 31.10.2024) Summary ======= HIGH-LEIT is a scalable SCADA network control system designed for infrastructure applications in the energy, water supply, wastewater, and environmental sectors, as well as associated utilities and industrial applications. HIGH-LEIT is used for operational networks in critical infrastructure. The Windows services "HL-InstallService-hlnt" for HIGH-LEIT Version 4 and "HL-InstallService-hlxw" for Version 5 allow for an authenticated attackers in the Active Directory group "HL-TS-Gruppe" to escalate their privileges to local system. Risk ==== The vulnerability allows attackers to execute arbitrary code as local system on systems where the "HL-InstallService-hlxw" or "HL-InstallService-hlnt" Windows service is running. Authentication is necessary for successful exploitation. The execution of the exploit is trivial and might affect other systems if the applications folder is shared between multiple systems in which case the vulnerability can be used for lateral movement. Description =========== During a penetration test, SCHUTZWERK tested a terminal server part of an internal OT Network. The software HIGH-LEIT 5 was found to be installed on this terminal server. HIGH-LEIT 5 has a windows service named "HL-InstallService-hlxw", that runs as local system with start mode "autostart". By default, for affected versions, the executable "D:\hlxw\update\bin\prunsrv.exe" is modifiable by the Active Directory group "HL-TS-Gruppe". The granted modify permission on "D:\hlxw\update\bin\prunsrv.exe" is inherited from the modify permission on the folder "D:\hlxw". The Active Directory group "HL-TS-Gruppe" is needed for every user interacting with the HIGH-LEIT software. This means this exploit is available from any HIGH-LEIT user with low privileges (e.g. auditors with read-only permissions). The user can modify the executable "prunsrv.exe" and wait for or force a system reboot. Afterwards the modified "prunsrv.exe" is executed as local system on the server. Solution/Mitigation =================== For HIGH-LEIT Version 4: - - Update to version 4.25.01.02 or newer, or - - apply the vendors workaround via GPO to mitigate the vulnerability, or - - manually remove the modify permission of the Active Directory group "HL-TS-Gruppe" on the folder "D:\hlnt". For HIGH-LEIT Version 5: - - Update to version 5.8.01.04 (release planned for 31.10.24), or - - apply the vendors workaround via GPO to mitigate the vulnerability, or - - manually remove the modify permission of the Active Directory group "HL-TS-Gruppe" on the folder "D:\hlxw". Disclosure timeline =================== 2024-05-14: Vulnerability discovered 2024-05-14: Vulnerability reported and presented to affected customer 2024-05-16: Vulnerability presented to vendor 2024-05-16: Vulnerability details reported to vendor 2024-05-17: Vendor started working on patch 2024-05-22: Vendor started deploying workaround to customers 2024-06-05: Green light from customer for Advisory 2024-06-13: Patch for HIGH-LEIT 4 finished 2024-06-13: Meeting with vendor to plan disclosure/patch release 2024-06-14: CVE-2024-38456 reserved 2024-08-16: Vendor finished deployment of patch/workaround for all affected customers 2024-08-16: Meeting with vendor to plan disclosure 2024-08-23: Meeting with vendor to plan disclosure 2024-09-02: Disclosure by SCHUTZWERK 2024-09-02: Disclosure by vendor at https://www.vivavis.com/service/it-security-bulletin/ Contact/Credits =============== The vulnerability was discovered during an assessment by Lukas Krieg (lkrieg@schutzwerk.com) of SCHUTZWERK GmbH. References ========== [0] https://www.vivavis.com/loesung/leittechnik/high-leit/ [1] https://www.vivavis.com/service/it-security-bulletin/ Disclaimer ========== The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The most recent version of this security advisory can be found at SCHUTZWERK GmbH's website ( https://www.schutzwerk.com ). SCHUTZWERK Advisories: https://www.schutzwerk.com/blog/tags/advisories/ SCHUTZWERK Advisory Policy: https://www.schutzwerk.com/en/advisories/ -----BEGIN PGP SIGNATURE----- iQJOBAEBCgA4FiEEgLsg7Oj/wY3LSF87GrXfkTIXLrsFAmbVfC0aHGFkdmlzb3Jp ZXNAc2NodXR6d2Vyay5jb20ACgkQGrXfkTIXLrvLwhAAmq8ALbZdWarhHZGgPAMJ 5mU/24qCCY5M3roi4zBv9GFzSbJVF4TdgpceOkyrCYHtTZWGEYdc8ewd6DLarweH Kcj+KyCA6JIbb94E2CVrDAXgpjJWsvG1CSvHax+erG/FppEk/ud9t+DJhCSVbkMT KeqTz1G02tpKnHVgd2ogVF9ydJVdEcV4QJD/tkUfQukWomIGNRt+JNoxcCv362H1 fk3uVghrXxWeo3P0oDvWg4S2+3IEZPPtW1PCqfo9SFO2Ll7xF/2015Hl1Sn0TOAA y4JJqDNOwIN5hIP6JvIs+W6uLLU3IGFUEWg1CiplOY3CC1kfEorQtvsDamNq9QWF 2r6CaWNN2FYpHkiEygYJsnn8Z3vzqqQQnaym2mwlsxe0ggutADCg2FbkybqTUF+D fUGoQjaq7eojUTGS7fgNlOUua2euImjv9NMpzg00yMb6os6P+HetT+fv2G67TLKS ptqQ73H+On4h2DP/DPkF1q7hBBZtT1I2Xx6er65AtSKjwOsLBOWSR1BNW+QJ/D56 pPhYHR+lVakHO/TMzILys5dPSXY3TU1iX0XpgvddIqONgViMR54a5MV/Vv1lL9xb qEcGtqtX84cg74vQuwUbl69pP+69Y+ACDoBdaemRex1tjR6seFBI27XRsn+E8a+a kQGdwKyB2qT0UNuLyFhcVi4= =3K1g -----END PGP SIGNATURE----- -- SCHUTZWERK GmbH, Pfarrer-Weiß-Weg 12, 89077 Ulm, Germany Zertifiziert / Certified ISO 27001, 9001 and TISAX Phone +49 731 977 191 0 advisories@schutzwerk.com / www.schutzwerk.com Geschäftsführer / Managing Directors: Jakob Pietzka, Michael Schäfer Amtsgericht Ulm / HRB 727391 Datenschutz / Data Protection www.schutzwerk.com/datenschutz