SpiderControl SCADA Web Server 2.02.0007 Improper Privilege Management

`Vendor: SpiderControl  
Equipment: SCADA Web Server  
Vulnerability: Improper Privilege Management  
  
Advisory URL  
https://ipositivesecurity.com/2017/10/28/ics-spidercontrol-scada-web-server-improper-privilege-management-vulnerability/  
  
ICS-CERT Advisory  
https://ics-cert.us-cert.gov/advisories/ICSA-17-250-01  
  
CVE-ID  
CVE-2017-12728  
  
------------------------  
AFFECTED PRODUCTS  
------------------------  
  
The following versions of SCADA Web Server, a software management platform,  
are affected:  
SCADA Web Server Version 2.02.0007 and prior.  
  
------------------------  
BACKGROUND  
------------------------  
Critical Infrastructure Sector: Critical Manufacturing  
Countries/Areas Deployed: Europe  
Company Headquarters Location: Switzerland  
  
------------------------  
IMPACT  
------------------------  
Successful exploitation of this vulnerability could allow authenticated  
system users to escalate their privileges under certain conditions.  
  
------------------------  
VULNERABILITY OVERVIEW  
------------------------  
  
IMPROPER PRIVILEGE MANAGEMENT CWE-269  
  
Authenticated, non-administrative local users are able to alter service  
executables with escalated privileges which could allow an attacker to  
execute arbitrary code under the context of the current system services.  
  
CVE-2017-12728 has been assigned to this vulnerability. A CVSS v3 base  
score of 5.3 has been assigned; the CVSS vector string is  
(AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).  
  
  
------------------------  
Vulnerability Details  
------------------------  
  
1. Untrusted Users Can Modify Windows Service Executables  
It is possible for non-administrative local users to replace some of the  
Windows Service executables with malicious programs. This could be abused  
to execute programs with the privileges of the Windows services concerned.  
  
The programs below have FILE_WRITE, WRITE_DAC or WRITE_OWNER permission  
granted to non-administrative users:  
  
SCADA Server (SCADAServer) runs the following program as LocalSystem:  
  
C:\WWW\ScadaWindowsService.exe: ALLOW \Everyone: FILE_WRITE_DATA  
C:\WWW\ScadaWindowsService.exe: ALLOW NT AUTHORITY\Authenticated Users:  
FILE_WRITE_DATA  
  
2. Delete Permission Granted On Windows Service Executables  
It is possible for non-administrative local users to delete some of the  
Windows Service executables with malicious programs. This could lead to  
disruption or denial of service.  
  
The programs below have DELETE permission granted to non-administrative  
users:  
  
SCADA Server (SCADAServer) runs the following program as LocalSystem:  
  
C:\WWW\ScadaWindowsService.exe: ALLOW \Everyone: DELETE  
C:\WWW\ScadaWindowsService.exe: ALLOW NT AUTHORITY\Authenticated Users:  
DELETE  
  
3. Append Permission Granted Windows Service Executables  
It is possible for non-administrative local users to append to some of the  
Windows Service executables with malicious programs. This is unlikely to be  
exploitable for .exe files, but is it bad security practise to allow more  
access than necessary to low-privileged users.  
  
The programs below have FILE_APPEND permission granted to  
non-administrative users:  
  
SCADA Server (SCADAServer) runs the following program as LocalSystem:  
  
C:\WWW\ScadaWindowsService.exe: ALLOW \Everyone: FILE_APPEND_DATA  
C:\WWW\ScadaWindowsService.exe: ALLOW NT AUTHORITY\Authenticated Users:  
FILE_APPEND_DATA  
  
  
+++++  
Best Regards,  
Karn Ganeshen  
  
  
`