CVE-2020-25245

Vulnerability

The vulnerability is an incorrect default permissions issue (CWE-276) in Siemens DIGSI 4. Several folders in the %PATH% environment variable are writable by normal users. Since these folders are included in the search order for DLLs, an attacker can place a malicious DLL in one of these directories. Affected versions: all versions prior to V4.94 SP1 HF 1. [1]

Exploitation

An attacker needs low-privileged local access to the system. No user interaction is required beyond the attacker placing the DLL. The attacker can write a specially crafted DLL into a writable folder that is part of the %PATH%. When a privileged process (running as SYSTEM) loads a DLL from that path, the malicious DLL is executed instead. [1]

Impact

Successful exploitation allows the attacker to execute arbitrary code with SYSTEM privileges, leading to full compromise of confidentiality, integrity, and availability. The CVSS v3 base score is 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). [1]

Mitigation

Siemens has released an update: upgrade to DIGSI 4 v4.94 SP1 HF 1 or later. As a general security measure, Siemens recommends protecting network access and configuring the environment according to industrial security guidelines. [1]