Talos IntelligenceTALOS-2021-1360Advantech R-SeeNet installation privilege escalation vulnerability
7.2 High
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.0005 Low
EPSS
Percentile
17.9%
Summary
A privilege escalation vulnerability exists in the Windows version of installation for Advantech R-SeeNet Advantech R-SeeNet 2.4.15 (30.07.2021). A specially-crafted file can be replaced in the system to escalate privileges to NT SYSTEM authority. An attacker can provide a malicious file to trigger this vulnerability.
Tested Versions
Advantech R-SeeNet Advantech R-SeeNet 2.4.15 (30.07.2021)
Product URLs
<https://ep.advantech-bb.cz/products/software/r-seenet>
CVSSv3 Score
8.8 - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CWE
CWE-276 - Incorrect Default Permissions
Details
R-SeeNet is the software system used for monitoring Advantech routers. It continuously collects information from individual routers in the network and records the data into a SQL database.
CVE-2021-21910 - Privilege escalation via mysql service executable
By default, Advantech R-SeeNet is installed in the “C:\R-SeeNet" directory, which allows the “Authenticated Users” group to have “Full/Change” privilege over the “mysql” service binary file in the directory. These are executed with NT SYSTEM authority, leading to privilge escalation when the file is replaced and service is restarted.
C:\R-SeeNet\mysql\bin\mysqld.exe BUILTIN\Administrators:(ID)F
NT AUTHORITY\SYSTEM:(ID)F
BUILTIN\Users:(ID)R
NT AUTHORITY\Authenticated Users:(ID)C
CVE-2021-21911 - Privilege escalation via SnmpMonSvs service executable
By default, Advantech R-SeeNet is installed in the “C:\R-SeeNet" directory, which allows the “Authenticated Users” group to have “Full/Change” privilege over the “SnmpMonSvs” service binary file in the directory. These are executed with NT SYSTEM authority, leading to privilge escalation when the file is replaced and service is restarted.
C:\R-SeeNet\R_SeeNet.exe BUILTIN\Administrators:(ID)F
NT AUTHORITY\SYSTEM:(ID)F
BUILTIN\Users:(ID)R
NT AUTHORITY\Authenticated Users:(ID)C
CVE-2021-21912 - Privilege escalation via Apache2.2 service executable
By default, Advantech R-SeeNet is installed in the “C:\R-SeeNet" directory, which allows the “Authenticated Users” group to have “Full/Change” privilege over “Apache2.2” service binary file in the directory. These are executed with NT SYSTEM authority,leading to privilge escalation when the file is replaced and service is restarted.
C:\R-SeeNet\apache\bin\httpd.exe BUILTIN\Administrators:(ID)F
NT AUTHORITY\SYSTEM:(ID)F
BUILTIN\Users:(ID)R
NT AUTHORITY\Authenticated Users:(ID)C
Timeline
2021-08-23 - Vendor Disclosure
2021-11-16 - Vendor Patched
2021-11-22 - Public Release
Related
7.2 High
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.0005 Low
EPSS
Percentile
17.9%