CVE-2024-50590
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
Attackers with local access to the medical office computer can escalate their Windows user privileges to "NT AUTHORITY\SYSTEM" by overwriting one of two Elefant service binaries with weak permissions. The default installation directory of Elefant is "C:\Elefant1" which is writable for all users. In addition, the Elefant installer registers two Firebird database services which are running as “NT AUTHORITY\SYSTEM”.
Path: C:\Elefant1\Firebird_2\bin\fbserver.exe
Path: C:\Elefant1\Firebird_2\bin\fbguard.exe
Both service binaries are user writable. This means that a local attacker can rename one of the service binaries, replace the service executable with a new executable, and then restart the system. Once the system has rebooted, the new service binary is executed as "NT AUTHORITY\SYSTEM".
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| HASOMED | Elefant | <24.04.00 | affected |
Weaknesses
- CWE-276: CWE-276 Incorrect Default Permissions
- CWE-732: CWE-732 Incorrect Permission Assignment for Critical Resource
- CWE-250: CWE-250 Execution with Unnecessary Privileges
Workarounds
While workarounds such as modifying the Elefant windows firewall rules and manually adjusting file permissions in the installation folder are feasible workarounds for some of the vulnerabilities, it is recommended to install the patches provided by the vendor.
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: total
CVE Program Container
Additional References
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.