################################################################################ # # COMPASS SECURITY ADVISORY # https://www.compass-security.com/research/advisories/ # ################################################################################ # # Product: Fabasoft Cloud Enterprise Client # Vendor: Fabasoft # Vendor ID: PDO06614 # CSNC ID: CSNC-2023-002 # CVE ID: CVE-2023-32764 # Subject: Local Privilege Escalation # Risk: High # Effect: Locally exploitable # Authors: Tino Kautschke # Dennis Henke # Date: 08.05.2023 # ################################################################################ Introduction: ------------- The Fabasoft Cloud lets you create a digital business network for your company based on relationships of trust – for secure cross-company, transnational collaboration in the cloud. Fabasoft provides a native client that allows, for example, editing documents directly via the web client or synchronizing documents on the device. [1-3] Compass Security identified a local privilege escalation vulnerability, allowing a user on a system with the Fabasoft Cloud Enterprise Client installed, to escalate their privileges to local administrator. Affected: --------- Vulnerable (tested): * Fabasoft Cloud Enterprise Client 23.3.0.130 / 23.3.130 Not vulnerable (tested): * Fabasoft Cloud Enterprise Client 23.6.0.99 / 23.6.99 Not vulnerable (regarding vendor announcement): * 23.4.0.66 and above * 23.0.1.23 and above * 22.9.0.75 and above * 22.0.3.88 and above * 21.1.3.204 and above Other products were affected (Windows only): Fabasoft Folio / eGov-Suite 2021 Update Rollup 3 Fabasoft Folio / eGov-Suite 2022 (up to Update Rollup 3 and Feature Track) Fabasoft Folio / eGov-Suite 2023 (up to Update Rollup 1) Fabasoft Cloud Technical Description: ---------------------- The Fabasoft Cloud Enterprise Client uses an update service named FabasoftCloudUS.exe, which is executed with SYSTEM privileges. On update, it looks for new update files in C:\ProgramData\fabasoft.plugin, which can be read and written to by arbitrary users. The update service expects a signed MSI file and an empty file with extension '.pending' in this folder to start the update process. The update mechanism after successful validation of a signed MSI file is vulnerable. It is possible to place a Fabasoft-signed MSI update or setup file to pass the validation check. After that, the MSI file will be renamed and handed over to the msiexec setup process. During this step, it is possible to re-rename the file and exchange it with an arbitrary MSI package. A commandline script can do the job and performs the renaming operations in a loop to exchange the MSI package once it is possible, before the update process will hand over the file to msiexec. The update process will produce some access errors first, because of the renaming operation, but it has some tolerance and retries to access the file. The exchanged malicious MSI package will be taken, handed over to msiexec and installed with SYSTEM privileges. This means that an unprivileged user can install arbitrary MSI packages, thus resulting in code execution with full SYSTEM permissions. This can be used, e.g., to start a reverse shell or execute other malicious commands. Workaround / Fix: ----------------- The processing of MSI packages during the update process should be revised to ensure, that it is not possible to exchange any packages originated from untrusted sources. A patch has already been released by the publisher. The update service should install update packages from a folder for which non-admin users do not have change or modify privileges. Microsofts guidelines and best-practices for MSI packages should be considered during development. In general, the update service should not run in a high privileged context like SYSTEM. It is recommended to set up a dedicated service user with neccessary privileges only. As a customer using the Fabasoft Cloud Enterprise Client, update your installation to the latest version. Workaround: disable Fabasoft Folio Client Update Service "folioupdate" or "folioupdatepm2X". Timeline: --------- 2023-05-08: Discovery by Tino Kautschke and Dennis Henke 2023-05-08: Initial vendor notification 2023-05-08: CVE number requested 2023-05-15: CVE number reserved: CVE-2023-32764 2023-06-09: Test of version 23.6.99, vulnerability has been fixed 2023-07-04: Last public vulnerability announcement by vendor (PDO06614) [4] 2023-08-02: Coordinated disclosure of the advisory References: ----------- [1] https://help.cloud.fabasoft.com/index.php?topic=doc/User-Help-Fabasoft-Cloud-eng/introduction.htm [2] https://help.cloud.fabasoft.com/index.php?topic=doc/Fabasoft-Cloud-Client/introduction.htm [3] https://help.cloud.fabasoft.com/index.php?topic=doc/Technical-Information-eng/the-fabasoft-cloud-enterprise-client.htm [4] https://help.supportservices.fabasoft.com/index.php?topic=doc/Vulnerabilities-Fabasoft-Folio/vulnerabilities-2023.htm#client-autoupdate-harmful-code-installation-vulnerability-pdo06614-