-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Title

SCHUTZWERK-SA-2024-001: Privilege Escalation via Service Binary
Hijacking in Vivavis HIGH-LEIT

Status

PUBLISHED

Version

1.0

CVE reference

CVE-2024-38456

Link

https://www.schutzwerk.com/advisories/schutzwerk-sa-2024-001/

Text-only version:
https://www.schutzwerk.com/advisories/SCHUTZWERK-SA-2024-001.txt

Affected products/vendor

HIGH-LEIT by VIVAVIS AG[0]. Version 4 and 5 are different product lines,
both are affected:

HIGH-LEIT 4 Version 4.25.00.00 to 4.25.01.01 (patch available)
HIGH-LEIT 5 Version = 5.08.01.03 (no patch available, planned for
31.10.2024)

Summary

HIGH-LEIT is a scalable SCADA network control system designed for
infrastructure applications in the energy, water supply, wastewater, and
environmental sectors, as well as associated utilities and industrial
applications. HIGH-LEIT is used for operational networks in critical
infrastructure.
The Windows services “HL-InstallService-hlnt” for HIGH-LEIT Version 4
and “HL-InstallService-hlxw” for Version 5 allow for an authenticated
attackers in the Active Directory group “HL-TS-Gruppe” to escalate their
privileges to local system.

Risk

The vulnerability allows attackers to execute arbitrary code as local
system on systems where the “HL-InstallService-hlxw” or
“HL-InstallService-hlnt” Windows service is running. Authentication is
necessary for successful exploitation. The execution of the exploit is
trivial and might affect other systems if the applications folder is
shared between multiple systems in which case the vulnerability can be
used for lateral movement.

Description

During a penetration test, SCHUTZWERK tested a terminal server part of
an internal OT Network. The software HIGH-LEIT 5 was found to be
installed on this terminal server.

HIGH-LEIT 5 has a windows service named "HL-InstallService-hlxw", that
runs as local system with start mode "autostart". By default, for
affected versions, the executable “D:\hlxw\update\bin\prunsrv.exe” is
modifiable by the Active Directory group "HL-TS-Gruppe". The granted
modify permission on “D:\hlxw\update\bin\prunsrv.exe” is inherited from
the modify permission on the folder "D:\hlxw". The Active Directory
group “HL-TS-Gruppe” is needed for every user interacting with the
HIGH-LEIT software. This means this exploit is available from any
HIGH-LEIT user with low privileges (e.g. auditors with read-only
permissions). The user can modify the executable “prunsrv.exe” and wait
for or force a system reboot. Afterwards the modified “prunsrv.exe” is
executed as local system on the server.

Solution/Mitigation

For HIGH-LEIT Version 4:

• • Update to version 4.25.01.02 or newer, or
• • apply the vendors workaround via GPO to mitigate the vulnerability, or
• • manually remove the modify permission of the Active Directory group
    “HL-TS-Gruppe” on the folder "D:\hlnt".

For HIGH-LEIT Version 5:

• • Update to version 5.8.01.04 (release planned for 31.10.24), or
• • apply the vendors workaround via GPO to mitigate the vulnerability, or
• • manually remove the modify permission of the Active Directory group
    “HL-TS-Gruppe” on the folder "D:\hlxw".

Disclosure timeline

2024-05-14: Vulnerability discovered
2024-05-14: Vulnerability reported and presented to affected customer
2024-05-16: Vulnerability presented to vendor
2024-05-16: Vulnerability details reported to vendor
2024-05-17: Vendor started working on patch
2024-05-22: Vendor started deploying workaround to customers
2024-06-05: Green light from customer for Advisory
2024-06-13: Patch for HIGH-LEIT 4 finished
2024-06-13: Meeting with vendor to plan disclosure/patch release
2024-06-14: CVE-2024-38456 reserved
2024-08-16: Vendor finished deployment of patch/workaround for all
affected customers
2024-08-16: Meeting with vendor to plan disclosure
2024-08-23: Meeting with vendor to plan disclosure
2024-09-02: Disclosure by SCHUTZWERK
2024-09-02: Disclosure by vendor at
https://www.vivavis.com/service/it-security-bulletin/

Contact/Credits

The vulnerability was discovered during an assessment by Lukas Krieg
([email protected]) of SCHUTZWERK GmbH.

References

[0] https://www.vivavis.com/loesung/leittechnik/high-leit/
[1] https://www.vivavis.com/service/it-security-bulletin/

Disclaimer

The information provided in this security advisory is provided “as is”
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
most recent version of this security advisory can be found at SCHUTZWERK
GmbH’s website ( https://www.schutzwerk.com ).

SCHUTZWERK Advisories: https://www.schutzwerk.com/blog/tags/advisories/

SCHUTZWERK Advisory Policy: https://www.schutzwerk.com/en/advisories/
-----BEGIN PGP SIGNATURE-----

iQJOBAEBCgA4FiEEgLsg7Oj/wY3LSF87GrXfkTIXLrsFAmbVfC0aHGFkdmlzb3Jp
ZXNAc2NodXR6d2Vyay5jb20ACgkQGrXfkTIXLrvLwhAAmq8ALbZdWarhHZGgPAMJ
5mU/24qCCY5M3roi4zBv9GFzSbJVF4TdgpceOkyrCYHtTZWGEYdc8ewd6DLarweH
Kcj+KyCA6JIbb94E2CVrDAXgpjJWsvG1CSvHax+erG/FppEk/ud9t+DJhCSVbkMT
KeqTz1G02tpKnHVgd2ogVF9ydJVdEcV4QJD/tkUfQukWomIGNRt+JNoxcCv362H1
fk3uVghrXxWeo3P0oDvWg4S2+3IEZPPtW1PCqfo9SFO2Ll7xF/2015Hl1Sn0TOAA
y4JJqDNOwIN5hIP6JvIs+W6uLLU3IGFUEWg1CiplOY3CC1kfEorQtvsDamNq9QWF
2r6CaWNN2FYpHkiEygYJsnn8Z3vzqqQQnaym2mwlsxe0ggutADCg2FbkybqTUF+D
fUGoQjaq7eojUTGS7fgNlOUua2euImjv9NMpzg00yMb6os6P+HetT+fv2G67TLKS
ptqQ73H+On4h2DP/DPkF1q7hBBZtT1I2Xx6er65AtSKjwOsLBOWSR1BNW+QJ/D56
pPhYHR+lVakHO/TMzILys5dPSXY3TU1iX0XpgvddIqONgViMR54a5MV/Vv1lL9xb
qEcGtqtX84cg74vQuwUbl69pP+69Y+ACDoBdaemRex1tjR6seFBI27XRsn+E8a+a
kQGdwKyB2qT0UNuLyFhcVi4=
=3K1g
-----END PGP SIGNATURE-----
–
SCHUTZWERK GmbH, Pfarrer-Weiß-Weg 12, 89077 Ulm, Germany
Zertifiziert / Certified ISO 27001, 9001 and TISAX

Phone +49 731 977 191 0

[email protected] / www.schutzwerk.com

Geschäftsführer / Managing Directors:
Jakob Pietzka, Michael Schäfer

Amtsgericht Ulm / HRB 727391
Datenschutz / Data Protection www.schutzwerk.com/datenschutz