-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Title
=====

SCHUTZWERK-SA-2024-001: Privilege Escalation via Service Binary 
Hijacking in Vivavis HIGH-LEIT

Status
======

PUBLISHED

Version
=======

1.0

CVE reference
=============

CVE-2024-38456

Link
====

https://www.schutzwerk.com/advisories/schutzwerk-sa-2024-001/

Text-only version:
https://www.schutzwerk.com/advisories/SCHUTZWERK-SA-2024-001.txt

Affected products/vendor
========================

HIGH-LEIT by VIVAVIS AG[0]. Version 4 and 5 are different product lines, 
both are affected:

HIGH-LEIT 4 Version 4.25.00.00 to 4.25.01.01 (patch available)
HIGH-LEIT 5 Version = 5.08.01.03 (no patch available, planned for 
31.10.2024)

Summary
=======

HIGH-LEIT is a scalable SCADA network control system designed for 
infrastructure applications in the energy, water supply, wastewater, and 
environmental sectors, as well as associated utilities and industrial 
applications. HIGH-LEIT is used for operational networks in critical 
infrastructure.
The Windows services "HL-InstallService-hlnt" for HIGH-LEIT Version 4 
and "HL-InstallService-hlxw" for Version 5 allow for an authenticated 
attackers in the Active Directory group "HL-TS-Gruppe" to escalate their 
privileges to local system.

Risk
====

The vulnerability allows attackers to execute arbitrary code as local 
system on systems where the "HL-InstallService-hlxw" or 
"HL-InstallService-hlnt" Windows service is running. Authentication is 
necessary for successful exploitation. The execution of the exploit is 
trivial and might affect other systems if the applications folder is 
shared between multiple systems in which case the vulnerability can be 
used for lateral movement.

Description
===========

During a penetration test, SCHUTZWERK tested a terminal server part of 
an internal OT Network. The software HIGH-LEIT 5 was found to be 
installed on this terminal server.

HIGH-LEIT 5 has a windows service named "HL-InstallService-hlxw", that 
runs as local system with start mode "autostart". By default, for 
affected versions, the executable "D:\hlxw\update\bin\prunsrv.exe" is 
modifiable by the Active Directory group "HL-TS-Gruppe". The granted 
modify permission on "D:\hlxw\update\bin\prunsrv.exe" is inherited from 
the modify permission on the folder "D:\hlxw". The Active Directory 
group "HL-TS-Gruppe" is needed for every user interacting with the 
HIGH-LEIT software. This means this exploit is available from any 
HIGH-LEIT user with low privileges (e.g. auditors with read-only 
permissions). The user can modify the executable "prunsrv.exe" and wait 
for or force a system reboot. Afterwards the modified "prunsrv.exe" is 
executed as local system on the server.

Solution/Mitigation
===================

For HIGH-LEIT Version 4:
- - Update to version 4.25.01.02 or newer, or
- - apply the vendors workaround via GPO to mitigate the vulnerability, or
- - manually remove the modify permission of the Active Directory group 
"HL-TS-Gruppe" on the folder "D:\hlnt".

For HIGH-LEIT Version 5:
- - Update to version 5.8.01.04 (release planned for 31.10.24), or
- - apply the vendors workaround via GPO to mitigate the vulnerability, or
- - manually remove the modify permission of the Active Directory group 
"HL-TS-Gruppe" on the folder "D:\hlxw".

Disclosure timeline
===================

2024-05-14: Vulnerability discovered
2024-05-14: Vulnerability reported and presented to affected customer
2024-05-16: Vulnerability presented to vendor
2024-05-16: Vulnerability details reported to vendor
2024-05-17: Vendor started working on patch
2024-05-22: Vendor started deploying workaround to customers
2024-06-05: Green light from customer for Advisory
2024-06-13: Patch for HIGH-LEIT 4 finished
2024-06-13: Meeting with vendor to plan disclosure/patch release
2024-06-14: CVE-2024-38456 reserved
2024-08-16: Vendor finished deployment of patch/workaround for all 
affected customers
2024-08-16: Meeting with vendor to plan disclosure
2024-08-23: Meeting with vendor to plan disclosure
2024-09-02: Disclosure by SCHUTZWERK
2024-09-02: Disclosure by vendor at 
https://www.vivavis.com/service/it-security-bulletin/

Contact/Credits
===============

The vulnerability was discovered during an assessment by Lukas Krieg 
(lkrieg@schutzwerk.com) of SCHUTZWERK GmbH.

References
==========

[0] https://www.vivavis.com/loesung/leittechnik/high-leit/
[1] https://www.vivavis.com/service/it-security-bulletin/

Disclaimer
==========

The information provided in this security advisory is provided "as is" 
and without warranty of any kind. Details of this security advisory may 
be updated in order to provide as accurate information as possible. The 
most recent version of this security advisory can be found at SCHUTZWERK 
GmbH's website ( https://www.schutzwerk.com ).

SCHUTZWERK Advisories: https://www.schutzwerk.com/blog/tags/advisories/

SCHUTZWERK Advisory Policy: https://www.schutzwerk.com/en/advisories/
-----BEGIN PGP SIGNATURE-----

iQJOBAEBCgA4FiEEgLsg7Oj/wY3LSF87GrXfkTIXLrsFAmbVfC0aHGFkdmlzb3Jp
ZXNAc2NodXR6d2Vyay5jb20ACgkQGrXfkTIXLrvLwhAAmq8ALbZdWarhHZGgPAMJ
5mU/24qCCY5M3roi4zBv9GFzSbJVF4TdgpceOkyrCYHtTZWGEYdc8ewd6DLarweH
Kcj+KyCA6JIbb94E2CVrDAXgpjJWsvG1CSvHax+erG/FppEk/ud9t+DJhCSVbkMT
KeqTz1G02tpKnHVgd2ogVF9ydJVdEcV4QJD/tkUfQukWomIGNRt+JNoxcCv362H1
fk3uVghrXxWeo3P0oDvWg4S2+3IEZPPtW1PCqfo9SFO2Ll7xF/2015Hl1Sn0TOAA
y4JJqDNOwIN5hIP6JvIs+W6uLLU3IGFUEWg1CiplOY3CC1kfEorQtvsDamNq9QWF
2r6CaWNN2FYpHkiEygYJsnn8Z3vzqqQQnaym2mwlsxe0ggutADCg2FbkybqTUF+D
fUGoQjaq7eojUTGS7fgNlOUua2euImjv9NMpzg00yMb6os6P+HetT+fv2G67TLKS
ptqQ73H+On4h2DP/DPkF1q7hBBZtT1I2Xx6er65AtSKjwOsLBOWSR1BNW+QJ/D56
pPhYHR+lVakHO/TMzILys5dPSXY3TU1iX0XpgvddIqONgViMR54a5MV/Vv1lL9xb
qEcGtqtX84cg74vQuwUbl69pP+69Y+ACDoBdaemRex1tjR6seFBI27XRsn+E8a+a
kQGdwKyB2qT0UNuLyFhcVi4=
=3K1g
-----END PGP SIGNATURE-----
-- 
SCHUTZWERK GmbH, Pfarrer-Weiß-Weg 12, 89077 Ulm, Germany
Zertifiziert / Certified ISO 27001, 9001 and TISAX

Phone +49 731 977 191 0

advisories@schutzwerk.com / www.schutzwerk.com

Geschäftsführer / Managing Directors:
Jakob Pietzka, Michael Schäfer

Amtsgericht Ulm /  HRB 727391
Datenschutz / Data Protection www.schutzwerk.com/datenschutz