CVE-2020-12510

The default installation path of the TwinCAT XAR 3.1 software in all versions is underneath C:\TwinCAT. If the directory does not exist it and further subdirectories are created with permissions which allow every local user to modify the content. The default installation registers TcSysUI.exe for automatic execution upon log in of a user. If a less privileged user has a local account he or she can replace TcSysUI.exe. It will be executed automatically by another user during login. This is also true for users with administrative access. Consequently, a less privileged user can trick a higher privileged user into executing code he or she modified this way. By default Beckhoff’s IPCs are shipped with TwinCAT software installed this way and with just a single local user configured. Thus the vulnerability exists if further less privileged users have been added.

CVSS v3 7.3 HIGH
CVSS v2.0 6.0 MEDIUM

7.3^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.3 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

6.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:S/C:P/I:P/A:P

Exploitability : 6.8 / Impact : 6.4

Access Vector NETWORK

Access Complexity MEDIUM

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://cert.vde.com/en-us/advisories/vde-2020-037	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:beckhoff:twincat_extended_automation_runtime:3.1:*:*:*:*:*:*:*

History

No history.

Information

Published : 2020-11-19 18:15

Updated : 2023-12-10 13:41

NVD link : CVE-2020-12510

Mitre link : CVE-2020-12510

CVE.ORG link : CVE-2020-12510

JSON object : View

Products Affected

beckhoff

twincat_extended_automation_runtime

CWE

CWE-276

Incorrect Default Permissions

{"id": "CVE-2020-12510", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 6.8, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.3}, {"type": "Secondary", "source": "info@cert.vde.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.3}]}, "published": "2020-11-19T18:15:13.927", "references": [{"url": "https://cert.vde.com/en-us/advisories/vde-2020-037", "tags": ["Third Party Advisory"], "source": "info@cert.vde.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-276"}]}, {"type": "Secondary", "source": "info@cert.vde.com", "description": [{"lang": "en", "value": "CWE-276"}]}], "descriptions": [{"lang": "en", "value": "The default installation path of the TwinCAT XAR 3.1 software in all versions is underneath C:\\TwinCAT. If the directory does not exist it and further subdirectories are created with permissions which allow every local user to modify the content. The default installation registers TcSysUI.exe for automatic execution upon log in of a user. If a less privileged user has a local account he or she can replace TcSysUI.exe. It will be executed automatically by another user during login. This is also true for users with administrative access. Consequently, a less privileged user can trick a higher privileged user into executing code he or she modified this way. By default Beckhoff\u2019s IPCs are shipped with TwinCAT software installed this way and with just a single local user configured. Thus the vulnerability exists if further less privileged users have been added."}, {"lang": "es", "value": "La ruta de instalaci\u00f3n predeterminada del software TwinCAT XAR versi\u00f3n 3.1 en todas las versiones se encuentra debajo de C:\\TwinCAT. Si el directorio no existe, se crean m\u00e1s subdirectorios con permisos que permiten a cada usuario local modificar el contenido. La instalaci\u00f3n predeterminada registra el archivo TcSysUI.exe para una ejecuci\u00f3n autom\u00e1tica al iniciar sesi\u00f3n un usuario. Si un usuario con menos privilegios tiene una cuenta local, puede reemplazar el archivo TcSysUI.exe. Otro usuario lo ejecutar\u00e1 autom\u00e1ticamente durante el inicio de sesi\u00f3n. Esto tambi\u00e9n es cierto para los usuarios con acceso administrativo. En consecuencia, un usuario menos privilegiado puede enga\u00f1ar a un usuario con mayores privilegios para que ejecute el c\u00f3digo que \u00e9l o ella modific\u00f3 de esta manera. Por defecto, los IPC de Beckhoff se env\u00edan con el software TwinCAT instalado de esta manera y con un \u00fanico usuario local configurado. Por lo tanto la vulnerabilidad existe si nuevos usuarios menos privilegiados han sido incorporados"}], "lastModified": "2020-12-03T16:47:53.933", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:beckhoff:twincat_extended_automation_runtime:3.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "86D77675-9196-4032-8809-AC9CDEB01259"}], "operator": "OR"}]}], "sourceIdentifier": "info@cert.vde.com"}