Talos Vulnerability Report

TALOS-2021-1400

Advantech DeviceOn/iEdge Server 1.0.2 privilege escalation vulnerability

January 18, 2022
CVE Number

CVE-2021-40389

Summary

A privilege escalation vulnerability exists in the installation of Advantech DeviceOn/iEdge Server 1.0.2. A specially-crafted file can be replaced in the system to escalate privileges to NT SYSTEM authority. An attacker can provide a malicious file to trigger this vulnerability.

Tested Versions

Advantech DeviceOn/iEdge Server 1.0.2

Product URLs

https://www.advantech.com/products/550836fd-a062-4780-8416-3b742bc7fb16/deviceone2i/mod_e429c25f-35e3-4391-ae77-794a360a0f57

CVSSv3 Score

8.8 - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-276 - Incorrect Default Permissions

Details

DeviceOn/iEdge is a management platform which allows for control over conneted equipment using standard industrial protocols such as modbus.

By default, Advantech DeviceOn/iEdge Server is installed in the “c:\Program Files\Advantech" directory, which allows the “Everyone” group to have “Full” privilege over various service binary files in the directory, including library and executabes files loaded by the PostgreSQL service. The service execute these binaries with a “NT AUTHORITY\NETWORK SERVICE” privilage, leading to privilge escalation from ‘Everyone’ to ‘NETWORK SERVICE’ user when the file is replaced and service is restarted. As the services are assigned SeImpersonatePrivilege it is then possible to take advantage of that permission to achieve reliable execution with NT SYSTEM privilage due to impersonation of the token.

c:\Program Files\Advantech\E2I_Server\database\PostgreSQL\pgsql\bin\psql.exe Everyone:F
																			 NT AUTHORITY\SYSTEM:F

c:\Program Files\Advantech\E2I_Server\database\PostgreSQL\pgsql\bin\pg_ctl.exe Everyone:F
																			   NT AUTHORITY\SYSTEM:F

c:\Program Files\Advantech\E2I_Server\database\PostgreSQL\pgsql\bin\postgres.exe Everyone:F
																				 NT AUTHORITY\SYSTEM:F

In addition, various DLL files can be used to perform similar exploitation of the system from the same installation folder:

libpq.dll
libeay32.dll
libiconv-2.dll
libintl-8.dll
ssleay32.dll

Timeline

2021-10-25 - Vendor Disclosure
2022-01-16 - Vendor Patched

2022-01-18 - Public Release

Credit

Discovered by Yuri Kramarz of Cisco Talos.