CVE-2020-12510 (GCVE-0-2020-12510)

Vulnerability from cvelistv5 – Published: 2020-11-19 17:07 – Updated: 2024-09-16 19:35
VLAI?
Title
Beckhoff: Privilege Escalation through TwinCat System
Summary
The default installation path of the TwinCAT XAR 3.1 software in all versions is underneath C:\TwinCAT. If the directory does not exist it and further subdirectories are created with permissions which allow every local user to modify the content. The default installation registers TcSysUI.exe for automatic execution upon log in of a user. If a less privileged user has a local account he or she can replace TcSysUI.exe. It will be executed automatically by another user during login. This is also true for users with administrative access. Consequently, a less privileged user can trick a higher privileged user into executing code he or she modified this way. By default Beckhoff’s IPCs are shipped with TwinCAT software installed this way and with just a single local user configured. Thus the vulnerability exists if further less privileged users have been added.
Severity ?
7.3 (High)
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
CWE
  • CWE-276 - Incorrect Default Permissions
Assigner
References
Impacted products
Vendor Product Version
Beckhoff TwinCat XAR 3.1 Affected: all
Create a notification for this product.
Credits
Ayushman Dutta reported the issue to CERT@VDE
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T11:56:52.097Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://cert.vde.com/en-us/advisories/vde-2020-037"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "platforms": [
            "all"
          ],
          "product": "TwinCat XAR 3.1",
          "vendor": "Beckhoff",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Ayushman Dutta reported the issue to CERT@VDE"
        }
      ],
      "datePublic": "2020-11-19T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The default installation path of the TwinCAT XAR 3.1 software in all versions is underneath C:\\TwinCAT. If the directory does not exist it and further subdirectories are created with permissions which allow every local user to modify the content. The default installation registers TcSysUI.exe for automatic execution upon log in of a user. If a less privileged user has a local account he or she can replace TcSysUI.exe. It will be executed automatically by another user during login. This is also true for users with administrative access. Consequently, a less privileged user can trick a higher privileged user into executing code he or she modified this way. By default Beckhoff\u2019s IPCs are shipped with TwinCAT software installed this way and with just a single local user configured. Thus the vulnerability exists if further less privileged users have been added."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-276",
              "description": "CWE-276 Incorrect Default Permissions",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-11-19T17:07:24",
        "orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
        "shortName": "CERTVDE"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://cert.vde.com/en-us/advisories/vde-2020-037"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Please consider to choose \u201cC:\\Program Files\\TwinCAT\u201d during installation of TwinCAT 3.1. If you have installed it already then please uninstall and re-install it with the changed path. Please use the custom installation for this. That will automatically protect the binaries such that they can only be modified by an administrator.\nPlease mind that already installed projects underneath C:\\TwinCAT need to be moved. It is recommended to perform a backup of the complete device before such action. For security reasons, please remove the former content of C:\\TwinCAT at the end of this sequence. This will also prevent confusion."
        }
      ],
      "source": {
        "advisory": "VDE-2020-037",
        "defect": [
          "VDE-2020-037"
        ],
        "discovery": "EXTERNAL"
      },
      "title": "Beckhoff: Privilege Escalation through TwinCat System",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "AKA": "",
          "ASSIGNER": "info@cert.vde.com",
          "DATE_PUBLIC": "2020-11-19T14:00:00.000Z",
          "ID": "CVE-2020-12510",
          "STATE": "PUBLIC",
          "TITLE": "Beckhoff: Privilege Escalation through TwinCat System"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "TwinCat XAR 3.1",
                      "version": {
                        "version_data": [
                          {
                            "platform": "all",
                            "version_affected": "=",
                            "version_name": "",
                            "version_value": "all"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Beckhoff"
              }
            ]
          }
        },
        "configuration": [],
        "credit": [
          {
            "lang": "eng",
            "value": "Ayushman Dutta reported the issue to CERT@VDE"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The default installation path of the TwinCAT XAR 3.1 software in all versions is underneath C:\\TwinCAT. If the directory does not exist it and further subdirectories are created with permissions which allow every local user to modify the content. The default installation registers TcSysUI.exe for automatic execution upon log in of a user. If a less privileged user has a local account he or she can replace TcSysUI.exe. It will be executed automatically by another user during login. This is also true for users with administrative access. Consequently, a less privileged user can trick a higher privileged user into executing code he or she modified this way. By default Beckhoff\u2019s IPCs are shipped with TwinCAT software installed this way and with just a single local user configured. Thus the vulnerability exists if further less privileged users have been added."
            }
          ]
        },
        "exploit": [],
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-276 Incorrect Default Permissions"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://cert.vde.com/en-us/advisories/vde-2020-037",
              "refsource": "CONFIRM",
              "url": "https://cert.vde.com/en-us/advisories/vde-2020-037"
            }
          ]
        },
        "solution": [
          {
            "lang": "en",
            "value": "Please consider to choose \u201cC:\\Program Files\\TwinCAT\u201d during installation of TwinCAT 3.1. If you have installed it already then please uninstall and re-install it with the changed path. Please use the custom installation for this. That will automatically protect the binaries such that they can only be modified by an administrator.\nPlease mind that already installed projects underneath C:\\TwinCAT need to be moved. It is recommended to perform a backup of the complete device before such action. For security reasons, please remove the former content of C:\\TwinCAT at the end of this sequence. This will also prevent confusion."
          }
        ],
        "source": {
          "advisory": "VDE-2020-037",
          "defect": [
            "VDE-2020-037"
          ],
          "discovery": "EXTERNAL"
        },
        "work_around": []
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
    "assignerShortName": "CERTVDE",
    "cveId": "CVE-2020-12510",
    "datePublished": "2020-11-19T17:07:24.391114Z",
    "dateReserved": "2020-04-30T00:00:00",
    "dateUpdated": "2024-09-16T19:35:02.758Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:beckhoff:twincat_extended_automation_runtime:3.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"86D77675-9196-4032-8809-AC9CDEB01259\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"The default installation path of the TwinCAT XAR 3.1 software in all versions is underneath C:\\\\TwinCAT. If the directory does not exist it and further subdirectories are created with permissions which allow every local user to modify the content. The default installation registers TcSysUI.exe for automatic execution upon log in of a user. If a less privileged user has a local account he or she can replace TcSysUI.exe. It will be executed automatically by another user during login. This is also true for users with administrative access. Consequently, a less privileged user can trick a higher privileged user into executing code he or she modified this way. By default Beckhoff\\u2019s IPCs are shipped with TwinCAT software installed this way and with just a single local user configured. Thus the vulnerability exists if further less privileged users have been added.\"}, {\"lang\": \"es\", \"value\": \"La ruta de instalaci\\u00f3n predeterminada del software TwinCAT XAR versi\\u00f3n 3.1 en todas las versiones se encuentra debajo de C:\\\\TwinCAT.\u0026#xa0;Si el directorio no existe, se crean m\\u00e1s subdirectorios con permisos que permiten a cada usuario local modificar el contenido.\u0026#xa0;La instalaci\\u00f3n predeterminada registra el archivo TcSysUI.exe para una ejecuci\\u00f3n autom\\u00e1tica al iniciar sesi\\u00f3n un usuario.\u0026#xa0;Si un usuario con menos privilegios tiene una cuenta local, puede reemplazar el archivo TcSysUI.exe.\u0026#xa0;Otro usuario lo ejecutar\\u00e1 autom\\u00e1ticamente durante el inicio de sesi\\u00f3n.\u0026#xa0;Esto tambi\\u00e9n es cierto para los usuarios con acceso administrativo.\u0026#xa0;En consecuencia, un usuario menos privilegiado puede enga\\u00f1ar a un usuario con mayores privilegios para que ejecute el c\\u00f3digo que \\u00e9l o ella modific\\u00f3 de esta manera.\u0026#xa0;Por defecto, los IPC de Beckhoff se env\\u00edan con el software TwinCAT instalado de esta manera y con un \\u00fanico usuario local configurado. Por lo tanto la vulnerabilidad existe si nuevos usuarios menos privilegiados han sido incorporados\"}]",
      "id": "CVE-2020-12510",
      "lastModified": "2024-11-21T04:59:50.187",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"info@cert.vde.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H\", \"baseScore\": 7.3, \"baseSeverity\": \"HIGH\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 1.3, \"impactScore\": 5.9}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H\", \"baseScore\": 7.3, \"baseSeverity\": \"HIGH\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 1.3, \"impactScore\": 5.9}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:S/C:P/I:P/A:P\", \"baseScore\": 6.0, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"SINGLE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 6.8, \"impactScore\": 6.4, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": true}]}",
      "published": "2020-11-19T18:15:13.927",
      "references": "[{\"url\": \"https://cert.vde.com/en-us/advisories/vde-2020-037\", \"source\": \"info@cert.vde.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://cert.vde.com/en-us/advisories/vde-2020-037\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}]",
      "sourceIdentifier": "info@cert.vde.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"info@cert.vde.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-276\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-276\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2020-12510\",\"sourceIdentifier\":\"info@cert.vde.com\",\"published\":\"2020-11-19T18:15:13.927\",\"lastModified\":\"2024-11-21T04:59:50.187\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The default installation path of the TwinCAT XAR 3.1 software in all versions is underneath C:\\\\TwinCAT. If the directory does not exist it and further subdirectories are created with permissions which allow every local user to modify the content. The default installation registers TcSysUI.exe for automatic execution upon log in of a user. If a less privileged user has a local account he or she can replace TcSysUI.exe. It will be executed automatically by another user during login. This is also true for users with administrative access. Consequently, a less privileged user can trick a higher privileged user into executing code he or she modified this way. By default Beckhoff\u2019s IPCs are shipped with TwinCAT software installed this way and with just a single local user configured. Thus the vulnerability exists if further less privileged users have been added.\"},{\"lang\":\"es\",\"value\":\"La ruta de instalaci\u00f3n predeterminada del software TwinCAT XAR versi\u00f3n 3.1 en todas las versiones se encuentra debajo de C:\\\\TwinCAT.\u0026#xa0;Si el directorio no existe, se crean m\u00e1s subdirectorios con permisos que permiten a cada usuario local modificar el contenido.\u0026#xa0;La instalaci\u00f3n predeterminada registra el archivo TcSysUI.exe para una ejecuci\u00f3n autom\u00e1tica al iniciar sesi\u00f3n un usuario.\u0026#xa0;Si un usuario con menos privilegios tiene una cuenta local, puede reemplazar el archivo TcSysUI.exe.\u0026#xa0;Otro usuario lo ejecutar\u00e1 autom\u00e1ticamente durante el inicio de sesi\u00f3n.\u0026#xa0;Esto tambi\u00e9n es cierto para los usuarios con acceso administrativo.\u0026#xa0;En consecuencia, un usuario menos privilegiado puede enga\u00f1ar a un usuario con mayores privilegios para que ejecute el c\u00f3digo que \u00e9l o ella modific\u00f3 de esta manera.\u0026#xa0;Por defecto, los IPC de Beckhoff se env\u00edan con el software TwinCAT instalado de esta manera y con un \u00fanico usuario local configurado. Por lo tanto la vulnerabilidad existe si nuevos usuarios menos privilegiados han sido incorporados\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"info@cert.vde.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":7.3,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.3,\"impactScore\":5.9},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":7.3,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.3,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:S/C:P/I:P/A:P\",\"baseScore\":6.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":6.8,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"info@cert.vde.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-276\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-276\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:beckhoff:twincat_extended_automation_runtime:3.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"86D77675-9196-4032-8809-AC9CDEB01259\"}]}]}],\"references\":[{\"url\":\"https://cert.vde.com/en-us/advisories/vde-2020-037\",\"source\":\"info@cert.vde.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://cert.vde.com/en-us/advisories/vde-2020-037\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.