A privilege escalation vulnerability exists in Kepware LinkMaster 18.104.22.168. In its default configuration, an attacker can globally overwrite service configuration to execute arbitrary code with NT SYSTEM privileges.
Kepware LinkMaster 22.214.171.124
9.3 - CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CWE-276 - Incorrect Default Permissions
Kepware LinkMaster is a product linking various OPC servers and clients providing a means of communication between current DDE/OPC and legacy clients and applications.
The vulnerability arises due to incorrect defauly permissions set on LinkMasterV3 service which grants Everyone group access to the
SERVICE_CHANGE_CONFIG option allowing anyone to reconfigurethe service in any manner. A local attacker can use this vulnerability to modify the existing service binary to point to an arbitrary executable which will run with
NT SYSTEM privileges.
LinkMasterV3 RW Everyone SERVICE_QUERY_STATUS SERVICE_QUERY_CONFIG SERVICE_CHANGE_CONFIG SERVICE_START SERVICE_STOP RW NT AUTHORITY\SYSTEM SERVICE_ALL_ACCESS RW BUILTIN\Administrators SERVICE_ALL_ACCESS
2020-09-08 - Vendor Disclosure
2020-12-16 - Public Release
Discovered by Yuri Kramarz of Cisco Talos.