{"vuid":"VU#466044","idnumber":"466044","name":"Siemens Totally Integrated Automation Portal vulnerable to privilege escalation due to Node.js paths","keywords":null,"overview":"### Overview\r\nSiemens Totally Integrated Administrator (TIA) fails to properly set the module search path to be used by a privileged Node.js component, which can allow an unprivileged Windows user to run arbitrary code with SYSTEM privileges. The PCS neo administration console is reported to be affected as well.\r\n\r\n### Description\r\n\r\nSiemens TIA runs a privileged Node.js component. The Node.js server fails to properly set the module search path. Because of this, Node.js will look for modules in the `C:\\node_modules\\` directory when the server is started. Because unprivileged Windows users can create subdirectories off of the system root, a user can create this directory and place a specially-crafted `.js` file in it to achieve arbitrary code execution with SYSTEM privileges when the server starts.\r\n\r\n### Impact\r\nBy placing a specially-crafted JS file in the `C:\\node_modules\\` directory, an unprivileged user may be able to execute arbitrary code with SYSTEM privileges on a Windows system with the vulnerable Siemens TIA or PCS neo administration console software installed.\r\n\r\n### Solution\r\n#### Apply an update\r\nThis issue is addressed in TIA Administrator [V1.0 SP2 Upd2](https://support.industry.siemens.com/cs/ww/en/view/114358/). PCS neo administration console users should apply the mitigations described in [Industrial Security in SIMATIC PCS neo](https://support.industry.siemens.com/cs/ww/en/view/109771524).\r\n\r\nFor more details see Siemens Security Advisory [SSA-428051](https://cert-portal.siemens.com/productcert/pdf/ssa-428051.pdf).\r\n\r\n### Acknowledgements\r\nThis vulnerability was reported by Will Dormann of the CERT/CC.\r\n\r\nThis document was written by Will Dormann.","clean_desc":null,"impact":null,"resolution":null,"workarounds":null,"sysaffected":null,"thanks":null,"author":null,"public":["https://cert-portal.siemens.com/productcert/pdf/ssa-428051.pdf","https://support.industry.siemens.com/cs/ww/en/view/109771524"],"cveids":["CVE-2020-25238"],"certadvisory":null,"uscerttechnicalalert":null,"datecreated":"2021-02-09T15:09:41.634287Z","publicdate":"2021-02-09T15:09:41.370784Z","datefirstpublished":"2021-02-09T15:09:41.705068Z","dateupdated":"2021-02-09T17:45:23.956181Z","revision":4,"vrda_d1_directreport":null,"vrda_d1_population":null,"vrda_d1_impact":null,"cam_widelyknown":null,"cam_exploitation":null,"cam_internetinfrastructure":null,"cam_population":null,"cam_impact":null,"cam_easeofexploitation":null,"cam_attackeraccessrequired":null,"cam_scorecurrent":null,"cam_scorecurrentwidelyknown":null,"cam_scorecurrentwidelyknownexploited":null,"ipprotocol":null,"cvss_accessvector":null,"cvss_accesscomplexity":null,"cvss_authentication":null,"cvss_confidentialityimpact":null,"cvss_integrityimpact":null,"cvss_availabilityimpact":null,"cvss_exploitablity":null,"cvss_remediationlevel":null,"cvss_reportconfidence":null,"cvss_collateraldamagepotential":null,"cvss_targetdistribution":null,"cvss_securityrequirementscr":null,"cvss_securityrequirementsir":null,"cvss_securityrequirementsar":null,"cvss_basescore":null,"cvss_basevector":null,"cvss_temporalscore":null,"cvss_environmentalscore":null,"cvss_environmentalvector":null,"metric":null,"vulnote":39}