Beckhoff TwinCAT Installation Directory Incorrect Default Permissions (CVE-2020-12510)

high Tenable OT Security Plugin ID 500434

Synopsis

The remote OT asset is affected by a vulnerability.

Description

The default installation path of the TwinCAT XAR 3.1 software in all versions is underneath C:\TwinCAT. If the directory does not exist it and further subdirectories are created with permissions which allow every local user to modify the content. The default installation registers TcSysUI.exe for automatic execution upon log in of a user. If a less privileged user has a local account he or she can replace TcSysUI.exe. It will be executed automatically by another user during login. This is also true for users with administrative access. Consequently, a less privileged user can trick a higher privileged user into executing code he or she modified this way. By default Beckhoff's IPCs are shipped with TwinCAT software installed this way and with just a single local user configured. Thus the vulnerability exists if further less privileged users have been added.

This plugin only works with Tenable.ot. Please visit https://www.tenable.com/products/tenable-ot for more information.

Solution

Refer to the vendor advisory.

See Also

http://www.nessus.org/u?f7b3268c

https://cert.vde.com/en-us/advisories/vde-2020-037

Plugin Details

Severity: High

ID: 500434

Version: 1.4

Type: remote

Family: Tenable.ot

Published: 2/7/2022

Updated: 9/12/2024

Supported Sensors: Tenable OT Security

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Medium

Base Score: 6

Temporal Score: 4.4

Vector: CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:P

CVSS Score Source: CVE-2020-12510

CVSS v3

Risk Factor: High

Base Score: 7.3

Temporal Score: 6.4

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:beckhoff:twincat_extended_automation_runtime:3.1

Required KB Items: Tenable.ot/Beckhoff

Exploit Ease: No known exploits are available

Patch Publication Date: 11/19/2020

Vulnerability Publication Date: 11/19/2020

Reference Information

CVE: CVE-2020-12510

CWE: 276