Advantech SUSIAccess Server Static Encryption Key Privilege Escalation Vulnerability

2016-12-13T00:00:00
ID ZDI-16-629
Type zdi
Reporter rgod
Modified 2016-12-13T00:00:00

Description

This vulnerability allows attackers to escalate privileges on vulnerable installations of Advantech SUSIAccess Server. Authentication is not required to exploit this vulnerability.

The specific flaw exists within encryption and storage of the administrator password. The password is stored in a known location and is encrypted with a static encryption key. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of SYSTEM.