Lucene search

K
talosTalos IntelligenceTALOS-2021-1360
HistoryNov 22, 2021 - 12:00 a.m.

Advantech R-SeeNet installation privilege escalation vulnerability

2021-11-2200:00:00
Talos Intelligence
www.talosintelligence.com
24

7.2 High

CVSS2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

0.0005 Low

EPSS

Percentile

17.9%

Summary

A privilege escalation vulnerability exists in the Windows version of installation for Advantech R-SeeNet Advantech R-SeeNet 2.4.15 (30.07.2021). A specially-crafted file can be replaced in the system to escalate privileges to NT SYSTEM authority. An attacker can provide a malicious file to trigger this vulnerability.

Tested Versions

Advantech R-SeeNet Advantech R-SeeNet 2.4.15 (30.07.2021)

Product URLs

<https://ep.advantech-bb.cz/products/software/r-seenet&gt;

CVSSv3 Score

8.8 - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-276 - Incorrect Default Permissions

Details

R-SeeNet is the software system used for monitoring Advantech routers. It continuously collects information from individual routers in the network and records the data into a SQL database.

CVE-2021-21910 - Privilege escalation via mysql service executable

By default, Advantech R-SeeNet is installed in the “C:\R-SeeNet" directory, which allows the “Authenticated Users” group to have “Full/Change” privilege over the “mysql” service binary file in the directory. These are executed with NT SYSTEM authority, leading to privilge escalation when the file is replaced and service is restarted.

C:\R-SeeNet\mysql\bin\mysqld.exe BUILTIN\Administrators:(ID)F
								 NT AUTHORITY\SYSTEM:(ID)F
								 BUILTIN\Users:(ID)R
								 NT AUTHORITY\Authenticated Users:(ID)C

CVE-2021-21911 - Privilege escalation via SnmpMonSvs service executable

By default, Advantech R-SeeNet is installed in the “C:\R-SeeNet" directory, which allows the “Authenticated Users” group to have “Full/Change” privilege over the “SnmpMonSvs” service binary file in the directory. These are executed with NT SYSTEM authority, leading to privilge escalation when the file is replaced and service is restarted.

C:\R-SeeNet\R_SeeNet.exe BUILTIN\Administrators:(ID)F
						 NT AUTHORITY\SYSTEM:(ID)F
						 BUILTIN\Users:(ID)R
						 NT AUTHORITY\Authenticated Users:(ID)C

CVE-2021-21912 - Privilege escalation via Apache2.2 service executable

By default, Advantech R-SeeNet is installed in the “C:\R-SeeNet" directory, which allows the “Authenticated Users” group to have “Full/Change” privilege over “Apache2.2” service binary file in the directory. These are executed with NT SYSTEM authority,leading to privilge escalation when the file is replaced and service is restarted.

C:\R-SeeNet\apache\bin\httpd.exe BUILTIN\Administrators:(ID)F
								 NT AUTHORITY\SYSTEM:(ID)F
								 BUILTIN\Users:(ID)R
								 NT AUTHORITY\Authenticated Users:(ID)C

Timeline

2021-08-23 - Vendor Disclosure
2021-11-16 - Vendor Patched
2021-11-22 - Public Release

7.2 High

CVSS2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

0.0005 Low

EPSS

Percentile

17.9%

Related for TALOS-2021-1360