Advisory: Privilege Escalation via Service Binary Hijacking in Vivavis HIGH-LEIT (CVE-2024-38456)
Release of SCHUTZWERK-SA-2024-001
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Title
=====
SCHUTZWERK-SA-2024-001: Privilege Escalation via Service Binary Hijacking in Vivavis HIGH-LEIT
Status
======
PUBLISHED
Version
=======
1.0
CVE reference
=============
CVE-2024-38456
Link
====
https://www.schutzwerk.com/advisories/schutzwerk-sa-2024-001/
Text-only version:
https://www.schutzwerk.com/advisories/SCHUTZWERK-SA-2024-001.txt
Affected products/vendor
========================
HIGH-LEIT by VIVAVIS AG[0]. Version 4 and 5 are different product lines, both are affected:
HIGH-LEIT 4 Version 4.25.00.00 to 4.25.01.01 (patch available)
HIGH-LEIT 5 Version = 5.08.01.03 (no patch available, planned for 31.10.2024)
Summary
=======
HIGH-LEIT is a scalable SCADA network control system designed for infrastructure applications in the energy, water supply, wastewater, and environmental sectors, as well as associated utilities and industrial applications. HIGH-LEIT is used for operational networks in critical infrastructure.
The Windows services "HL-InstallService-hlnt" for HIGH-LEIT Version 4 and "HL-InstallService-hlxw" for Version 5 allow for an authenticated attackers in the Active Directory group "HL-TS-Gruppe" to escalate their privileges to local system.
Risk
====
The vulnerability allows attackers to execute arbitrary code as local system on systems where the "HL-InstallService-hlxw" or "HL-InstallService-hlnt" Windows service is running. Authentication is necessary for successful exploitation. The execution of the exploit is trivial and might affect other systems if the applications folder is shared between multiple systems in which case the vulnerability can be used for lateral movement.
Description
===========
During a penetration test, SCHUTZWERK tested a terminal server part of an internal OT Network. The software HIGH-LEIT 5 was found to be installed on this terminal server.
HIGH-LEIT 5 has a windows service named "HL-InstallService-hlxw", that runs as local system with start mode "autostart". By default, for affected versions, the executable "D:\hlxw\update\bin\prunsrv.exe" is modifiable by the Active Directory group "HL-TS-Gruppe". The granted modify permission on "D:\hlxw\update\bin\prunsrv.exe" is inherited from the modify permission on the folder "D:\hlxw". The Active Directory group "HL-TS-Gruppe" is needed for every user interacting with the HIGH-LEIT software. This means this exploit is available from any HIGH-LEIT user with low privileges (e.g. auditors with read-only permissions). The user can modify the executable "prunsrv.exe" and wait for or force a system reboot. Afterwards the modified "prunsrv.exe" is executed as local system on the server.
Solution/Mitigation
===================
For HIGH-LEIT Version 4:
- - Update to version 4.25.01.02 or newer, or
- - apply the vendors workaround via GPO to mitigate the vulnerability, or
- - manually remove the modify permission of the Active Directory group "HL-TS-Gruppe" on the folder "D:\hlnt".
For HIGH-LEIT Version 5:
- - Update to version 5.8.01.04 (release planned for 31.10.24), or
- - apply the vendors workaround via GPO to mitigate the vulnerability, or
- - manually remove the modify permission of the Active Directory group "HL-TS-Gruppe" on the folder "D:\hlxw".
Disclosure timeline
===================
2024-05-14: Vulnerability discovered
2024-05-14: Vulnerability reported and presented to affected customer
2024-05-16: Vulnerability presented to vendor
2024-05-16: Vulnerability details reported to vendor
2024-05-17: Vendor started working on patch
2024-05-22: Vendor started deploying workaround to customers
2024-06-05: Green light from customer for Advisory
2024-06-13: Patch for HIGH-LEIT 4 finished
2024-06-13: Meeting with vendor to plan disclosure/patch release
2024-06-14: CVE-2024-38456 reserved
2024-08-16: Vendor finished deployment of patch/workaround for all affected customers
2024-08-16: Meeting with vendor to plan disclosure
2024-08-23: Meeting with vendor to plan disclosure
2024-09-02: Disclosure by SCHUTZWERK
2024-09-02: Disclosure by vendor at https://www.vivavis.com/service/it-security-bulletin/
Contact/Credits
===============
The vulnerability was discovered during an assessment by Lukas Krieg (lkrieg@schutzwerk.com) of SCHUTZWERK GmbH.
References
==========
[0] https://www.vivavis.com/loesung/leittechnik/high-leit/
[1] https://www.vivavis.com/service/it-security-bulletin/
Disclaimer
==========
The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The most recent version of this security advisory can be found at SCHUTZWERK GmbH's website ( https://www.schutzwerk.com ).
SCHUTZWERK Advisories: https://www.schutzwerk.com/blog/tags/advisories/
SCHUTZWERK Advisory Policy: https://www.schutzwerk.com/en/advisories/
-----BEGIN PGP SIGNATURE-----
iQJOBAEBCgA4FiEEgLsg7Oj/wY3LSF87GrXfkTIXLrsFAmbVfC0aHGFkdmlzb3Jp
ZXNAc2NodXR6d2Vyay5jb20ACgkQGrXfkTIXLrvLwhAAmq8ALbZdWarhHZGgPAMJ
5mU/24qCCY5M3roi4zBv9GFzSbJVF4TdgpceOkyrCYHtTZWGEYdc8ewd6DLarweH
Kcj+KyCA6JIbb94E2CVrDAXgpjJWsvG1CSvHax+erG/FppEk/ud9t+DJhCSVbkMT
KeqTz1G02tpKnHVgd2ogVF9ydJVdEcV4QJD/tkUfQukWomIGNRt+JNoxcCv362H1
fk3uVghrXxWeo3P0oDvWg4S2+3IEZPPtW1PCqfo9SFO2Ll7xF/2015Hl1Sn0TOAA
y4JJqDNOwIN5hIP6JvIs+W6uLLU3IGFUEWg1CiplOY3CC1kfEorQtvsDamNq9QWF
2r6CaWNN2FYpHkiEygYJsnn8Z3vzqqQQnaym2mwlsxe0ggutADCg2FbkybqTUF+D
fUGoQjaq7eojUTGS7fgNlOUua2euImjv9NMpzg00yMb6os6P+HetT+fv2G67TLKS
ptqQ73H+On4h2DP/DPkF1q7hBBZtT1I2Xx6er65AtSKjwOsLBOWSR1BNW+QJ/D56
pPhYHR+lVakHO/TMzILys5dPSXY3TU1iX0XpgvddIqONgViMR54a5MV/Vv1lL9xb
qEcGtqtX84cg74vQuwUbl69pP+69Y+ACDoBdaemRex1tjR6seFBI27XRsn+E8a+a
kQGdwKyB2qT0UNuLyFhcVi4=
=3K1g
-----END PGP SIGNATURE-----
