################################################################################ # # COMPASS SECURITY ADVISORY # https://www.compass-security.com/research/advisories/ # ################################################################################ # # Product: Fabasoft Cloud Enterprise Client # Vendor: Fabasoft # CSNC ID: CSNC-2022-010 # CVE ID: CVE-2022-29908 # Subject: Local Privilege Escalation # Risk: High # Effect: Locally exploitable # Authors: Tino Kautschke # Date: 14.09.2022 # ################################################################################ Introduction: ------------- The Fabasoft Cloud lets you create a digital business network for your company based on relationships of trust – for secure cross-company, transnational collaboration in the cloud. Fabasoft provides a native client that allows, for example, editing documents directly via the web client or synchronizing documents on the device. [1-3] Compass Security identified a local privilege escalation vulnerability, allowing a user on a system with the Fabasoft Cloud Enterprise Client installed, to escalate their privileges to local administrator. Affected: --------- Vulnerable: * Fabasoft Cloud Enterprise Client 22.4.0043 No other version was tested, but it is possible for older versions to be vulnerable. Not vulnerable: * Fabasoft Cloud Enterprise Client 22.4.0045 Other products were affected (Windows only) [4]: Fabasoft Folio / Fabasoft eGov-Suite 2021 UR3, Fabasoft Folio / Fabasoft eGov-Suite 2022, Fabasoft Business Process Cloud Technical Description: ---------------------- The Fabasoft Cloud Enterprise Client uses an update service named FabasoftCloudUS.exe, which is executed with SYSTEM privileges. On update, it looks for new update files in C:\ProgramData\fabasoft.plugin, which can be read and written to by arbitrary users. The update service expects a signed MSI file and an empty file with extension '.pending' in this folder to start the update process. The validation check for signed MSI files is vulnerable. It is possible to sign an arbitrary MSI package with a self-signed certificate containing Fabasoft's information in the certificate fields. The validation check will accept the self-signed MSI package and start the setup process with SYSTEM privileges. This means that an unprivileged user can execute arbitrary MSI packages, thus resulting in code execution with full SYSTEM permissions. This can be, e.g., exploited by executing a reverse shell or other malicious commands. Workaround / Fix: ----------------- The validation process for signed MSI files should be revised to ensure that it is not possible to install packages from untrusted sources. A patch has already been released by the publisher. [4] The update service should not run in a high privileged context like SYSTEM. It is recommended to set up a dedicated service user with neccessary privileges only. As a customer using the Fabasoft Cloud Enterprise Client, update your installation to the latest version. Workaround: disable Fabasoft Folio Client Update Service "folioupdate". Timeline: --------- 2022-04-13: Discovery by Tino Kautschke 2022-04-13: Initial vendor notification 2022-04-21: Fabasoft public announcement and release of fixed version 2022-04-29: Vulnerability registered as CVE-2022-29908 2022-09-14: Coordinated disclosure of the advisory References: ----------- [1] https://help.cloud.fabasoft.com/index.php?topic=doc/User-Help-Fabasoft-Cloud-eng/introduction.htm [2] https://help.cloud.fabasoft.com/index.php?topic=doc/Fabasoft-Cloud-Client/introduction.htm [3] https://help.cloud.fabasoft.com/index.php?topic=doc/Technical-Information-eng/the-fabasoft-cloud-enterprise-client.htm [4] https://www.fabasoft.com/en/support/knowledgebase/client-autoupdate-harmful-code-installation-vulnerability-fsc33251