Login Sign Up

CVE-2018-13101

9.8 CRITICAL

📋 TL;DR

CVE-2018-13101 is a critical privilege escalation vulnerability in RedSwimmer KioskSimple 1.4.7.0 where the WCF endpoint exposes methods allowing unauthorized registry access and service control. Attackers can exploit this to execute arbitrary binaries with elevated privileges. Organizations using KioskSimple 1.4.7.0 in kiosk or public access systems are affected.

💻 Affected Systems

Products:
  • RedSwimmer KioskSimple
Versions: 1.4.7.0
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: The vulnerability exists in the default installation of KioskSimple 1.4.7.0. The WCF endpoint is exposed by default.

📦 What is this software?

Kiosksimple by Redswimmer

View all CVEs affecting Kiosksimple →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise allowing attackers to execute arbitrary code with SYSTEM privileges, install malware, steal credentials, and pivot to other systems.

🟠

Likely Case

Local privilege escalation leading to unauthorized access to sensitive data, system configuration changes, and persistence mechanisms.

🟢

If Mitigated

Limited impact if proper network segmentation, least privilege principles, and endpoint protection are implemented.

🌐 Internet-Facing: MEDIUM - While the service typically runs locally, if exposed via network misconfiguration or in kiosk environments with network access, risk increases.
🏢 Internal Only: HIGH - The vulnerability allows local privilege escalation, making any system running the vulnerable software at significant risk from insider threats or compromised accounts.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The vulnerability requires local access but no authentication. Public exploit details are available in the advisory references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.4.8.0 or later

Vendor Advisory: https://github.com/VerSprite/research/blob/master/advisories/VS-2018-026.md

Restart Required: Yes

Instructions:

1. Download latest version from RedSwimmer. 2. Uninstall current version. 3. Install updated version. 4. Restart system.

🔧 Temporary Workarounds

Disable KioskSimpleService

windows

Stop and disable the vulnerable service if not required

sc stop KioskSimpleService
sc config KioskSimpleService start= disabled

Firewall Block

windows

Block network access to the WCF endpoint

netsh advfirewall firewall add rule name="Block KioskSimple" dir=in action=block program="C:\Program Files\KioskSimple\KioskSimpleService.exe" enable=yes

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate affected systems
  • Apply Windows hardening measures including registry permissions and service hardening

🔍 How to Verify

Check if Vulnerable:

Check if KioskSimpleService.exe version is 1.4.7.0 and service is running

Check Version:

wmic datafile where name="C:\\Program Files\\KioskSimple\\KioskSimpleService.exe" get version

Verify Fix Applied:

Verify KioskSimpleService.exe version is 1.4.8.0 or later

📡 Detection & Monitoring

Log Indicators:

  • Unusual registry modifications
  • Service control events for KioskSimpleService
  • Process creation from KioskSimpleService with unusual parameters

Network Indicators:

  • Unusual network connections to/from KioskSimpleService port
  • WCF endpoint communication from unauthorized sources

SIEM Query:

EventID=4688 AND NewProcessName="*KioskSimpleService.exe*" AND CommandLine="*reg*" OR CommandLine="*sc*"

📊 Metadata

CVE ID: CVE-2018-13101
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: July 3, 2018
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON