CVE-2020-22722 - OpenCVE

Rapid Software LLC Rapid SCADA 5.8.0 is affected by a local privilege escalation vulnerability in the ScadaAgentSvc.exe executable file. An attacker can obtain admin privileges by placing a malicious .exe file in the application and renaming it ScadaAgentSvc.exe, which would result in executing the binary as NT AUTHORITY\SYSTEM in a Windows operating system. For example, an attacker can plant a reverse shell from a low privileged user account and by restarting the computer, the malicious service will be started as NT AUTHORITY\SYSTEM by giving the attacker full system access to the remote PC.

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:L/AC:L/Au:N/C:C/I:C/A:C

Vendors & Products
CPE Configurations

Vendors	Products
Microsoft	Windows
Rapidscada	Rapid Scada

Configuration 1 [-]

AND

cpe:2.3:a:rapidscada:rapid_scada:5.8.0:*:*:*:*:*:*:*

cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*

References

Link	Resource
https://syhack.wordpress.com/2020/04/21/rapid-scada-local-privilege-escalation-vulnerability/	Exploit Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2020-08-14T15:44:56

Updated: 2020-08-14T15:44:56

Reserved: 2020-08-13T00:00:00

Link: CVE-2020-22722

JSON object: View

NVD Information

Status : Analyzed

Published: 2020-08-14T16:15:17.070

Modified: 2020-08-21T14:50:25.593

Link: CVE-2020-22722

JSON object: View

Redhat Information

No data.

CWE

CWE-434

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "Rapid Software LLC Rapid SCADA 5.8.0 is affected by a local privilege escalation vulnerability in the ScadaAgentSvc.exe executable file. An attacker can obtain admin privileges by placing a malicious .exe file in the application and renaming it ScadaAgentSvc.exe, which would result in executing the binary as NT AUTHORITY\\SYSTEM in a Windows operating system. For example, an attacker can plant a reverse shell from a low privileged user account and by restarting the computer, the malicious service will be started as NT AUTHORITY\\SYSTEM by giving the attacker full system access to the remote PC."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-08-14T15:44:56", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://syhack.wordpress.com/2020/04/21/rapid-scada-local-privilege-escalation-vulnerability/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-22722", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Rapid Software LLC Rapid SCADA 5.8.0 is affected by a local privilege escalation vulnerability in the ScadaAgentSvc.exe executable file. An attacker can obtain admin privileges by placing a malicious .exe file in the application and renaming it ScadaAgentSvc.exe, which would result in executing the binary as NT AUTHORITY\\SYSTEM in a Windows operating system. For example, an attacker can plant a reverse shell from a low privileged user account and by restarting the computer, the malicious service will be started as NT AUTHORITY\\SYSTEM by giving the attacker full system access to the remote PC."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://syhack.wordpress.com/2020/04/21/rapid-scada-local-privilege-escalation-vulnerability/", "refsource": "MISC", "url": "https://syhack.wordpress.com/2020/04/21/rapid-scada-local-privilege-escalation-vulnerability/"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-22722", "datePublished": "2020-08-14T15:44:56", "dateReserved": "2020-08-13T00:00:00", "dateUpdated": "2020-08-14T15:44:56", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:rapidscada:rapid_scada:5.8.0:*:*:*:*:*:*:*", "matchCriteriaId": "7C13004B-091D-43C8-B9CD-A0B70FA7C1CB", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "Rapid Software LLC Rapid SCADA 5.8.0 is affected by a local privilege escalation vulnerability in the ScadaAgentSvc.exe executable file. An attacker can obtain admin privileges by placing a malicious .exe file in the application and renaming it ScadaAgentSvc.exe, which would result in executing the binary as NT AUTHORITY\\SYSTEM in a Windows operating system. For example, an attacker can plant a reverse shell from a low privileged user account and by restarting the computer, the malicious service will be started as NT AUTHORITY\\SYSTEM by giving the attacker full system access to the remote PC."}, {"lang": "es", "value": "Rapid Software LLC Rapid SCADA versi\u00f3n 5.8.0, est\u00e1 afectado por una vulnerabilidad de escalada de privilegios local en el archivo ejecutable ScadaAgentSvc.exe. Un atacante puede alcanzar privilegios de administrador mediante la colocaci\u00f3n de un archivo .exe malicioso en la aplicaci\u00f3n y renombr\u00e1ndolo como ScadaAgentSvc.exe, lo que resultar\u00eda en una ejecuci\u00f3n del binario como NT AUTHORITY\\SYSTEM en un sistema operativo Windows. Por ejemplo, un atacante puede plantar un shell inverso desde una cuenta de usuario poca privilegiada y, al reiniciar la computadora, el servicio malicioso ser\u00e1 iniciado como NT AUTHORITY\\SYSTEM, al otorgarle a un atacante un acceso completo de sistema hacia la PC remota."}], "id": "CVE-2020-22722", "lastModified": "2020-08-21T14:50:25.593", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 7.2, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-08-14T16:15:17.070", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://syhack.wordpress.com/2020/04/21/rapid-scada-local-privilege-escalation-vulnerability/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "nvd@nist.gov", "type": "Primary"}]}