CVE-2020-22722

Rapid Software LLC Rapid SCADA 5.8.0 is affected by a local privilege escalation vulnerability in the ScadaAgentSvc.exe executable file. An attacker can obtain admin privileges by placing a malicious .exe file in the application and renaming it ScadaAgentSvc.exe, which would result in executing the binary as NT AUTHORITY\SYSTEM in a Windows operating system. For example, an attacker can plant a reverse shell from a low privileged user account and by restarting the computer, the malicious service will be started as NT AUTHORITY\SYSTEM by giving the attacker full system access to the remote PC.

CVSS v3 7.8 HIGH
CVSS v2.0 7.2 HIGH

7.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

7.2^/10

CVSS v2.0 : HIGH

Vector : AV:L/AC:L/Au:N/C:C/I:C/A:C

Exploitability : 3.9 / Impact : 10.0

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
https://syhack.wordpress.com/2020/04/21/rapid-scada-local-privilege-escalation-vulnerability/	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:a:rapidscada:rapid_scada:5.8.0:*:*:*:*:*:*:*

cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2020-08-14 16:15

Updated : 2024-02-28 17:47

NVD link : CVE-2020-22722

Mitre link : CVE-2020-22722

CVE.ORG link : CVE-2020-22722

JSON object : View

Products Affected

microsoft

windows

rapidscada

rapid_scada

CWE

CWE-434

Unrestricted Upload of File with Dangerous Type

{"id": "CVE-2020-22722", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.2, "accessVector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "authentication": "NONE", "integrityImpact": "COMPLETE", "accessComplexity": "LOW", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": false, "impactScore": 10.0, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 3.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2020-08-14T16:15:17.070", "references": [{"url": "https://syhack.wordpress.com/2020/04/21/rapid-scada-local-privilege-escalation-vulnerability/", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-434"}]}], "descriptions": [{"lang": "en", "value": "Rapid Software LLC Rapid SCADA 5.8.0 is affected by a local privilege escalation vulnerability in the ScadaAgentSvc.exe executable file. An attacker can obtain admin privileges by placing a malicious .exe file in the application and renaming it ScadaAgentSvc.exe, which would result in executing the binary as NT AUTHORITY\\SYSTEM in a Windows operating system. For example, an attacker can plant a reverse shell from a low privileged user account and by restarting the computer, the malicious service will be started as NT AUTHORITY\\SYSTEM by giving the attacker full system access to the remote PC."}, {"lang": "es", "value": "Rapid Software LLC Rapid SCADA versi\u00f3n 5.8.0, est\u00e1 afectado por una vulnerabilidad de escalada de privilegios local en el archivo ejecutable ScadaAgentSvc.exe. Un atacante puede alcanzar privilegios de administrador mediante la colocaci\u00f3n de un archivo .exe malicioso en la aplicaci\u00f3n y renombr\u00e1ndolo como ScadaAgentSvc.exe, lo que resultar\u00eda en una ejecuci\u00f3n del binario como NT AUTHORITY\\SYSTEM en un sistema operativo Windows. Por ejemplo, un atacante puede plantar un shell inverso desde una cuenta de usuario poca privilegiada y, al reiniciar la computadora, el servicio malicioso ser\u00e1 iniciado como NT AUTHORITY\\SYSTEM, al otorgarle a un atacante un acceso completo de sistema hacia la PC remota."}], "lastModified": "2020-08-21T14:50:25.593", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:rapidscada:rapid_scada:5.8.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7C13004B-091D-43C8-B9CD-A0B70FA7C1CB"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cve@mitre.org"}