Extensive file permissions on service executable in Eikon Thomson Reuters (CVE-2019-10679)

Title

Extensive file permissions on service executable

Product

Eikon Thomson Reuters

Vulnerable Version

4.0.42144

Fixed Version

-

CVE Number

CVE-2019-10679

Impact

high

Homepage

https://eikon.thomsonreuters.com/ _blank

Found

18.03.2019

By

Khalil Bijjou (Office Switzerland) | SEC Consult Vulnerability Lab

SEC Consult found a vulnerability that allows unprivileged users to escalate their privileges to SYSTEM in Eikon of Thomson Reuters. This is possible due to extensive file permissions that allow standard users to modify executable files.

Vendor Description

“Eikon is the financial analysis desktop and mobile solution that connects you t relevant, trusted content, Reuters news, markets, liquidity pools, and colleagues.”

Source: https://www.refinitiv.com/en/products/spot-matching-forwards-matching

Business Recommendation

As long as the vendor did not release a patch for this vulnerability, we recommend moving Eikon Thomson Reuters to a separate system outside the domain to which users can connect to. Furthermore, we recommend to closely monitor any activities related to Eikon Thomson Reuters.

Vulnerability Overview / Description

The current file permissions of the directory C:\Program Files (x86)\Thomson Reuters)\Eikon allow users of the group Authenticated Users to modify files in the folder. As these files are executed by the service that runs with SYSTEM privileges, it is possible to escalate privileges and create a new user with administrator privileges.

Proof Of Concept

The service’s executable file is writeable by members of the Authenticated Users group. A user can create a malicious file that for example creates a new user and adds him to the Administrators group and replace the service’s executable file with it.

As the service runs in the SYSTEM users context, the malicious file will be executed the next time the service is started. As the SYSTEM user has the highest privileges, the mentioned actions are successfully performed and a new user will be created and added to the administrators group.

Creating a new user represents only an example. Other critical actions can be performed instead.

Vulnerable / Tested Versions

The following version has been tested which was the latest version available at the time of discovery:

  • 4.0.42144

Vendor Contact Timeline

2019-04-09 Contacting vendor through the contact form in the homepage. Service request number is 07521820.
2019-04-09 Received reply that they will supply a security contact.
2019-04-16 Sent reminder as no security contact has been supplied yet.
2019-04-23 Sent reminder #2.
2019-04-23 Vendor replied: “Thank you for your reminder, the release date has been duly noted. As previously mentioned, I have transferred your query to our security specialists already, they will reach out to you if they deem it necessary.”
2020-08-26 Release of security advisory.

Solution

As the vendor has not responded to any of our further requests, we are currently unaware, whether a fix has been published or not. In any case, we recommend to run the application on a separate server to which users have to connect (e.g. via RDP).

Workaround

We recommend enabling write permissions to administrative users only and to adhere to updating best practices.

Advisory URL

Vulnerability Lab

 

EOF Khalil Bijjou / @2020

 

Interested to work with the experts of SEC Consult? Send us your application
Want to improve your own cyber security with the experts of SEC Consult? Contact our local offices.

Back