Security Advisory IBA-2021-01
Local privilege escalation
| Publishing Date: | 2021-04-19 |
| Last Update: | 2021-04-19 |
| Tracking ID: | IBA-2021-01 |
| CVSS Base Score: | 7.8 |
| CVSS Temporal Score: | 7.0 |
| CVSS v3 Vector: | CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:H/E:P/RL:O/RC:C |
Summary
The functions ExecuteCommand as well as PostProcessing could be used to escalate the privileges of the local Windows user.
Affected products
ibaPDA-V7
ExecuteCommand: All versions prior to v7.3.0
PostProcessing: All versions prior to v7.3.0
ibaPDA-V6
ExecuteCommand: All versions since v6.33.3
PostProcessing: All versions
How do I know that I'm affected
Check the version number of the installed product in the About dialog which can be found in the Help menu.
Customer Actions
Upgrade to ibaPDA-V7 v7.3.0 and if the above mentioned functionality is used in your ibaPDA-Project, you have to provide user credentials to these functions. These credentials are then used to execute the commands.
Mitigations
If an upgrade/update to ibaPDA-V7 v7.3.0 is currently not possible, use the user management in earlier versions of ibaPDA to set the appropriate access rights, so the I/O configuration can't be changed. If scripts are being used, make sure that the script-files cannot be changed by the current Windows user.
Technical Details
Background
The above mentioned functionality ExecuteCommand and PostProcessing can execute any given command in the context of the ibaPDA service which needs the SYSTEM account to run.
Issue
Since the commands for ExecuteCommand as well as PostProcessing can be changed by any user who has the appropriate rights in ibaPDA it is possible for the user to escalate its privileges in Windows up to the administrative level.
Timeline
| 2019-04-01 | Issue found by internal security team |
| 2021-03-24 | New software released with fix |
| 2021-04-19 | Security advisory published |