{"id":59402,"date":"2024-09-03T18:09:51","date_gmt":"2024-09-03T15:09:51","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/181282\/SCHUTZWERK-SA-2024-001.txt"},"modified":"2024-09-03T18:09:51","modified_gmt":"2024-09-03T15:09:51","slug":"vivavis-high-leit-4-5-privilege-escalation","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/vivavis-high-leit-4-5-privilege-escalation\/","title":{"rendered":"Vivavis HIGH-LEIT 4 \/ 5 Privilege Escalation"},"content":{"rendered":"<p>&#8212;&#8211;BEGIN PGP SIGNED MESSAGE&#8212;&#8211;<br \/>Hash: SHA512<\/p>\n<p>Title<br \/>=====<\/p>\n<p>SCHUTZWERK-SA-2024-001: Privilege Escalation via Service Binary <br \/>Hijacking in Vivavis HIGH-LEIT<\/p>\n<p>Status<br \/>======<\/p>\n<p>PUBLISHED<\/p>\n<p>Version<br \/>=======<\/p>\n<p>1.0<\/p>\n<p>CVE reference<br \/>=============<\/p>\n<p>CVE-2024-38456<\/p>\n<p>Link<br \/>====<\/p>\n<p>https:\/\/www.schutzwerk.com\/advisories\/schutzwerk-sa-2024-001\/<\/p>\n<p>Text-only version:<br \/>https:\/\/www.schutzwerk.com\/advisories\/SCHUTZWERK-SA-2024-001.txt<\/p>\n<p>Affected products\/vendor<br \/>========================<\/p>\n<p>HIGH-LEIT by VIVAVIS AG[0]. Version 4 and 5 are different product lines, <br \/>both are affected:<\/p>\n<p>HIGH-LEIT 4 Version 4.25.00.00 to 4.25.01.01 (patch available)<br \/>HIGH-LEIT 5 Version = 5.08.01.03 (no patch available, planned for <br \/>31.10.2024)<\/p>\n<p>Summary<br \/>=======<\/p>\n<p>HIGH-LEIT is a scalable SCADA network control system designed for <br \/>infrastructure applications in the energy, water supply, wastewater, and <br \/>environmental sectors, as well as associated utilities and industrial <br \/>applications. HIGH-LEIT is used for operational networks in critical <br \/>infrastructure.<br \/>The Windows services &#8220;HL-InstallService-hlnt&#8221; for HIGH-LEIT Version 4 <br \/>and &#8220;HL-InstallService-hlxw&#8221; for Version 5 allow for an authenticated <br \/>attackers in the Active Directory group &#8220;HL-TS-Gruppe&#8221; to escalate their <br \/>privileges to local system.<\/p>\n<p>Risk<br \/>====<\/p>\n<p>The vulnerability allows attackers to execute arbitrary code as local <br \/>system on systems where the &#8220;HL-InstallService-hlxw&#8221; or <br \/>&#8220;HL-InstallService-hlnt&#8221; Windows service is running. Authentication is <br \/>necessary for successful exploitation. The execution of the exploit is <br \/>trivial and might affect other systems if the applications folder is <br \/>shared between multiple systems in which case the vulnerability can be <br \/>used for lateral movement.<\/p>\n<p>Description<br \/>===========<\/p>\n<p>During a penetration test, SCHUTZWERK tested a terminal server part of <br \/>an internal OT Network. The software HIGH-LEIT 5 was found to be <br \/>installed on this terminal server.<\/p>\n<p>HIGH-LEIT 5 has a windows service named &#8220;HL-InstallService-hlxw&#8221;, that <br \/>runs as local system with start mode &#8220;autostart&#8221;. By default, for <br \/>affected versions, the executable &#8220;D:\\hlxw\\update\\bin\\prunsrv.exe&#8221; is <br \/>modifiable by the Active Directory group &#8220;HL-TS-Gruppe&#8221;. The granted <br \/>modify permission on &#8220;D:\\hlxw\\update\\bin\\prunsrv.exe&#8221; is inherited from <br \/>the modify permission on the folder &#8220;D:\\hlxw&#8221;. The Active Directory <br \/>group &#8220;HL-TS-Gruppe&#8221; is needed for every user interacting with the <br \/>HIGH-LEIT software. This means this exploit is available from any <br \/>HIGH-LEIT user with low privileges (e.g. auditors with read-only <br \/>permissions). The user can modify the executable &#8220;prunsrv.exe&#8221; and wait <br \/>for or force a system reboot. Afterwards the modified &#8220;prunsrv.exe&#8221; is <br \/>executed as local system on the server.<\/p>\n<p>Solution\/Mitigation<br \/>===================<\/p>\n<p>For HIGH-LEIT Version 4:<br \/>&#8211; &#8211; Update to version 4.25.01.02 or newer, or<br \/>&#8211; &#8211; apply the vendors workaround via GPO to mitigate the vulnerability, or<br \/>&#8211; &#8211; manually remove the modify permission of the Active Directory group <br \/>&#8220;HL-TS-Gruppe&#8221; on the folder &#8220;D:\\hlnt&#8221;.<\/p>\n<p>For HIGH-LEIT Version 5:<br \/>&#8211; &#8211; Update to version 5.8.01.04 (release planned for 31.10.24), or<br \/>&#8211; &#8211; apply the vendors workaround via GPO to mitigate the vulnerability, or<br \/>&#8211; &#8211; manually remove the modify permission of the Active Directory group <br \/>&#8220;HL-TS-Gruppe&#8221; on the folder &#8220;D:\\hlxw&#8221;.<\/p>\n<p>Disclosure timeline<br \/>===================<\/p>\n<p>2024-05-14: Vulnerability discovered<br \/>2024-05-14: Vulnerability reported and presented to affected customer<br \/>2024-05-16: Vulnerability presented to vendor<br \/>2024-05-16: Vulnerability details reported to vendor<br \/>2024-05-17: Vendor started working on patch<br \/>2024-05-22: Vendor started deploying workaround to customers<br \/>2024-06-05: Green light from customer for Advisory<br \/>2024-06-13: Patch for HIGH-LEIT 4 finished<br \/>2024-06-13: Meeting with vendor to plan disclosure\/patch release<br \/>2024-06-14: CVE-2024-38456 reserved<br \/>2024-08-16: Vendor finished deployment of patch\/workaround for all <br \/>affected customers<br \/>2024-08-16: Meeting with vendor to plan disclosure<br \/>2024-08-23: Meeting with vendor to plan disclosure<br \/>2024-09-02: Disclosure by SCHUTZWERK<br \/>2024-09-02: Disclosure by vendor at <br \/>https:\/\/www.vivavis.com\/service\/it-security-bulletin\/<\/p>\n<p>Contact\/Credits<br \/>===============<\/p>\n<p>The vulnerability was discovered during an assessment by Lukas Krieg <br \/>(lkrieg@schutzwerk.com) of SCHUTZWERK GmbH.<\/p>\n<p>References<br \/>==========<\/p>\n[0] https:\/\/www.vivavis.com\/loesung\/leittechnik\/high-leit\/<br \/>[1] https:\/\/www.vivavis.com\/service\/it-security-bulletin\/<\/p>\n<p>Disclaimer<br \/>==========<\/p>\n<p>The information provided in this security advisory is provided &#8220;as is&#8221; <br \/>and without warranty of any kind. Details of this security advisory may <br \/>be updated in order to provide as accurate information as possible. The <br \/>most recent version of this security advisory can be found at SCHUTZWERK <br \/>GmbH&#8217;s website ( https:\/\/www.schutzwerk.com ).<\/p>\n<p>SCHUTZWERK Advisories: https:\/\/www.schutzwerk.com\/blog\/tags\/advisories\/<\/p>\n<p>SCHUTZWERK Advisory Policy: https:\/\/www.schutzwerk.com\/en\/advisories\/<br \/>&#8212;&#8211;BEGIN PGP SIGNATURE&#8212;&#8211;<\/p>\n<p>iQJOBAEBCgA4FiEEgLsg7Oj\/wY3LSF87GrXfkTIXLrsFAmbVfC0aHGFkdmlzb3Jp<br \/>ZXNAc2NodXR6d2Vyay5jb20ACgkQGrXfkTIXLrvLwhAAmq8ALbZdWarhHZGgPAMJ<br \/>5mU\/24qCCY5M3roi4zBv9GFzSbJVF4TdgpceOkyrCYHtTZWGEYdc8ewd6DLarweH<br \/>Kcj+KyCA6JIbb94E2CVrDAXgpjJWsvG1CSvHax+erG\/FppEk\/ud9t+DJhCSVbkMT<br \/>KeqTz1G02tpKnHVgd2ogVF9ydJVdEcV4QJD\/tkUfQukWomIGNRt+JNoxcCv362H1<br \/>fk3uVghrXxWeo3P0oDvWg4S2+3IEZPPtW1PCqfo9SFO2Ll7xF\/2015Hl1Sn0TOAA<br \/>y4JJqDNOwIN5hIP6JvIs+W6uLLU3IGFUEWg1CiplOY3CC1kfEorQtvsDamNq9QWF<br \/>2r6CaWNN2FYpHkiEygYJsnn8Z3vzqqQQnaym2mwlsxe0ggutADCg2FbkybqTUF+D<br \/>fUGoQjaq7eojUTGS7fgNlOUua2euImjv9NMpzg00yMb6os6P+HetT+fv2G67TLKS<br \/>ptqQ73H+On4h2DP\/DPkF1q7hBBZtT1I2Xx6er65AtSKjwOsLBOWSR1BNW+QJ\/D56<br \/>pPhYHR+lVakHO\/TMzILys5dPSXY3TU1iX0XpgvddIqONgViMR54a5MV\/Vv1lL9xb<br \/>qEcGtqtX84cg74vQuwUbl69pP+69Y+ACDoBdaemRex1tjR6seFBI27XRsn+E8a+a<br \/>kQGdwKyB2qT0UNuLyFhcVi4=<br \/>=3K1g<br \/>&#8212;&#8211;END PGP SIGNATURE&#8212;&#8211;<br \/>&#8212; <br \/>SCHUTZWERK GmbH, Pfarrer-Wei\u00df-Weg 12, 89077 Ulm, Germany<br \/>Zertifiziert \/ Certified ISO 27001, 9001 and TISAX<\/p>\n<p>Phone +49 731 977 191 0<\/p>\n<p>advisories@schutzwerk.com \/ www.schutzwerk.com<\/p>\n<p>Gesch\u00e4ftsf\u00fchrer \/ Managing Directors:<br \/>Jakob Pietzka, Michael Sch\u00e4fer<\/p>\n<p>Amtsgericht Ulm \/ HRB 727391<br \/>Datenschutz \/ Data Protection www.schutzwerk.com\/datenschutz<\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8212;&#8211;BEGIN PGP SIGNED MESSAGE&#8212;&#8211;Hash: SHA512 Title===== SCHUTZWERK-SA-2024-001: Privilege Escalation via Service Binary Hijacking in Vivavis HIGH-LEIT Status====== PUBLISHED Version======= 1.0 CVE reference============= CVE-2024-38456 Link==== https:\/\/www.schutzwerk.com\/advisories\/schutzwerk-sa-2024-001\/ Text-only version:https:\/\/www.schutzwerk.com\/advisories\/SCHUTZWERK-SA-2024-001.txt Affected products\/vendor======================== HIGH-LEIT by VIVAVIS AG[0]. Version 4 and 5 are different product lines, both are affected: HIGH-LEIT 4 Version 4.25.00.00 to 4.25.01.01 (patch available)HIGH-LEIT 5 Version = &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-59402","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59402","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=59402"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59402\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=59402"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=59402"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=59402"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}