CVE-2019-19896
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code with SYSTEM privileges on IXP EasyInstall servers and clients. Attackers can modify files via weak permissions on the Engine Service share, leading to complete system compromise. Organizations using IXP EasyInstall 6.2.13723 are affected.
💻 Affected Systems
- IXP EasyInstall
📦 What is this software?
Easyinstall by Ixpdata
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with SYSTEM privileges, enabling data theft, ransomware deployment, lateral movement, and persistent backdoor installation across the network.
Likely Case
Attackers gain initial foothold, escalate to SYSTEM, deploy malware, and move laterally to compromise additional systems in the environment.
If Mitigated
Limited impact due to network segmentation, strict access controls, and monitoring that detects unauthorized file modifications.
🎯 Exploit Status
Exploitation requires network access to the IXP$ share and ability to modify files. The Improsec blog provides technical details but not full exploit code.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown specific version - check vendor for updates
Vendor Advisory: https://improsec.com/tech-blog/multiple-vulnerabilities-in-easyinstall-rmm-and-deployment-software
Restart Required: Yes
Instructions:
1. Contact IXP for updated version. 2. Apply patch to all EasyInstall servers. 3. Restart Engine Service. 4. Verify share permissions are corrected.
🔧 Temporary Workarounds
Restrict IXP$ Share Permissions
windowsModify NTFS permissions on the IXP$ share to remove write access for unauthorized users.
icacls "C:\Program Files\IXP\Engine Service" /deny Everyone:(OI)(CI)(W)
icacls "C:\Program Files\IXP\Engine Service" /grant SYSTEM:(OI)(CI)F /grant Administrators:(OI)(CI)F
Disable Engine Service Share
windowsTemporarily disable or restrict access to the Engine Service share if not required.
net share IXP$ /delete
🧯 If You Can't Patch
- Implement strict network segmentation to isolate EasyInstall servers from untrusted networks
- Deploy application whitelisting to prevent execution of unauthorized scripts and binaries
🔍 How to Verify
Check if Vulnerable:
Check if IXP$ share exists and review permissions: 'net share' and 'icacls "C:\Program Files\IXP\Engine Service"'Check Version:
Check EasyInstall version in Control Panel or program directoryVerify Fix Applied:
Verify share permissions no longer allow write access to unauthorized users and test file modification attempts fail📡 Detection & Monitoring
Log Indicators:
- Windows Security logs showing unauthorized file modifications in Engine Service directory
- Event ID 4663 (file access) for IXP directory with unexpected users
Network Indicators:
- Unusual SMB traffic to IXP$ share from unexpected sources
- File transfer patterns to Engine Service directory
SIEM Query:
source="Windows Security" (event_id=4663 OR event_id=4656) object_name="*IXP*Engine Service*" AND user_name!="SYSTEM" AND user_name!="Administrators"