CVE-2020-12510 - OpenCVE

Vendors	Products
Beckhoff	Twincat Extended Automation Runtime

Link	Resource
https://cert.vde.com/en-us/advisories/vde-2020-037	Third Party Advisory

{"containers": {"cna": {"affected": [{"platforms": ["all"], "product": "TwinCat XAR 3.1", "vendor": "Beckhoff", "versions": [{"status": "affected", "version": "all"}]}], "credits": [{"lang": "en", "value": "Ayushman Dutta reported the issue to CERT@VDE"}], "datePublic": "2020-11-19T00:00:00", "descriptions": [{"lang": "en", "value": "The default installation path of the TwinCAT XAR 3.1 software in all versions is underneath C:\\TwinCAT. If the directory does not exist it and further subdirectories are created with permissions which allow every local user to modify the content. The default installation registers TcSysUI.exe for automatic execution upon log in of a user. If a less privileged user has a local account he or she can replace TcSysUI.exe. It will be executed automatically by another user during login. This is also true for users with administrative access. Consequently, a less privileged user can trick a higher privileged user into executing code he or she modified this way. By default Beckhoff\u2019s IPCs are shipped with TwinCAT software installed this way and with just a single local user configured. Thus the vulnerability exists if further less privileged users have been added."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-276", "description": "CWE-276 Incorrect Default Permissions", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-11-19T17:07:24", "orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c", "shortName": "CERTVDE"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://cert.vde.com/en-us/advisories/vde-2020-037"}], "solutions": [{"lang": "en", "value": "Please consider to choose \u201cC:\\Program Files\\TwinCAT\u201d during installation of TwinCAT 3.1. If you have installed it already then please uninstall and re-install it with the changed path. Please use the custom installation for this. That will automatically protect the binaries such that they can only be modified by an administrator.\nPlease mind that already installed projects underneath C:\\TwinCAT need to be moved. It is recommended to perform a backup of the complete device before such action. For security reasons, please remove the former content of C:\\TwinCAT at the end of this sequence. This will also prevent confusion."}], "source": {"advisory": "VDE-2020-037", "defect": ["VDE-2020-037"], "discovery": "EXTERNAL"}, "title": "Beckhoff: Privilege Escalation through TwinCat System ", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"AKA": "", "ASSIGNER": "info@cert.vde.com", "DATE_PUBLIC": "2020-11-19T14:00:00.000Z", "ID": "CVE-2020-12510", "STATE": "PUBLIC", "TITLE": "Beckhoff: Privilege Escalation through TwinCat System "}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "TwinCat XAR 3.1", "version": {"version_data": [{"platform": "all", "version_affected": "=", "version_name": "", "version_value": "all"}]}}]}, "vendor_name": "Beckhoff"}]}}, "configuration": [], "credit": [{"lang": "eng", "value": "Ayushman Dutta reported the issue to CERT@VDE"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The default installation path of the TwinCAT XAR 3.1 software in all versions is underneath C:\\TwinCAT. If the directory does not exist it and further subdirectories are created with permissions which allow every local user to modify the content. The default installation registers TcSysUI.exe for automatic execution upon log in of a user. If a less privileged user has a local account he or she can replace TcSysUI.exe. It will be executed automatically by another user during login. This is also true for users with administrative access. Consequently, a less privileged user can trick a higher privileged user into executing code he or she modified this way. By default Beckhoff\u2019s IPCs are shipped with TwinCAT software installed this way and with just a single local user configured. Thus the vulnerability exists if further less privileged users have been added."}]}, "exploit": [], "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-276 Incorrect Default Permissions"}]}]}, "references": {"reference_data": [{"name": "https://cert.vde.com/en-us/advisories/vde-2020-037", "refsource": "CONFIRM", "url": "https://cert.vde.com/en-us/advisories/vde-2020-037"}]}, "solution": [{"lang": "en", "value": "Please consider to choose \u201cC:\\Program Files\\TwinCAT\u201d during installation of TwinCAT 3.1. If you have installed it already then please uninstall and re-install it with the changed path. Please use the custom installation for this. That will automatically protect the binaries such that they can only be modified by an administrator.\nPlease mind that already installed projects underneath C:\\TwinCAT need to be moved. It is recommended to perform a backup of the complete device before such action. For security reasons, please remove the former content of C:\\TwinCAT at the end of this sequence. This will also prevent confusion."}], "source": {"advisory": "VDE-2020-037", "defect": ["VDE-2020-037"], "discovery": "EXTERNAL"}, "work_around": []}}}, "cveMetadata": {"assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c", "assignerShortName": "CERTVDE", "cveId": "CVE-2020-12510", "datePublished": "2020-11-19T00:00:00", "dateReserved": "2020-04-30T00:00:00", "dateUpdated": "2020-11-19T17:07:24", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:beckhoff:twincat_extended_automation_runtime:3.1:*:*:*:*:*:*:*", "matchCriteriaId": "86D77675-9196-4032-8809-AC9CDEB01259", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The default installation path of the TwinCAT XAR 3.1 software in all versions is underneath C:\\TwinCAT. If the directory does not exist it and further subdirectories are created with permissions which allow every local user to modify the content. The default installation registers TcSysUI.exe for automatic execution upon log in of a user. If a less privileged user has a local account he or she can replace TcSysUI.exe. It will be executed automatically by another user during login. This is also true for users with administrative access. Consequently, a less privileged user can trick a higher privileged user into executing code he or she modified this way. By default Beckhoff\u2019s IPCs are shipped with TwinCAT software installed this way and with just a single local user configured. Thus the vulnerability exists if further less privileged users have been added."}, {"lang": "es", "value": "La ruta de instalaci\u00f3n predeterminada del software TwinCAT XAR versi\u00f3n 3.1 en todas las versiones se encuentra debajo de C:\\TwinCAT. Si el directorio no existe, se crean m\u00e1s subdirectorios con permisos que permiten a cada usuario local modificar el contenido. La instalaci\u00f3n predeterminada registra el archivo TcSysUI.exe para una ejecuci\u00f3n autom\u00e1tica al iniciar sesi\u00f3n un usuario. Si un usuario con menos privilegios tiene una cuenta local, puede reemplazar el archivo TcSysUI.exe. Otro usuario lo ejecutar\u00e1 autom\u00e1ticamente durante el inicio de sesi\u00f3n. Esto tambi\u00e9n es cierto para los usuarios con acceso administrativo. En consecuencia, un usuario menos privilegiado puede enga\u00f1ar a un usuario con mayores privilegios para que ejecute el c\u00f3digo que \u00e9l o ella modific\u00f3 de esta manera. Por defecto, los IPC de Beckhoff se env\u00edan con el software TwinCAT instalado de esta manera y con un \u00fanico usuario local configurado. Por lo tanto la vulnerabilidad existe si nuevos usuarios menos privilegiados han sido incorporados"}], "id": "CVE-2020-12510", "lastModified": "2020-12-03T16:47:53.933", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 5.9, "source": "info@cert.vde.com", "type": "Secondary"}]}, "published": "2020-11-19T18:15:13.927", "references": [{"source": "info@cert.vde.com", "tags": ["Third Party Advisory"], "url": "https://cert.vde.com/en-us/advisories/vde-2020-037"}], "sourceIdentifier": "info@cert.vde.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-276"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-276"}], "source": "info@cert.vde.com", "type": "Secondary"}]}

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

JSON object

JSON object

JSON object