CVE-2020-12320
📋 TL;DR
This vulnerability in Intel SCS Add-on for Microsoft SCCM allows authenticated local users to escalate privileges by manipulating the search path. It affects organizations using Intel SCS Add-on versions before 2.1.10 with SCCM. Attackers could gain higher system permissions if they have initial access.
💻 Affected Systems
- Intel(R) SCS Add-on for Microsoft SCCM
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An authenticated attacker gains full administrative control over the system, potentially compromising the entire SCCM environment and deploying malicious software.
Likely Case
A malicious insider or compromised account escalates privileges to install backdoors, steal sensitive data, or move laterally within the network.
If Mitigated
With strict access controls and patching, impact is limited to isolated systems with minimal data exposure.
🎯 Exploit Status
Exploitation likely requires local access and basic user privileges; no public exploits known as of analysis.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.1.10
Vendor Advisory: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00413
Restart Required: Yes
Instructions:
1. Download Intel SCS Add-on version 2.1.10 from Intel's official site. 2. Install the update on all affected SCCM servers. 3. Restart the servers to apply changes. 4. Verify installation via version check.
🔧 Temporary Workarounds
Restrict Local User Permissions
windowsLimit local user access to directories that could be manipulated in the search path to reduce attack surface.
Use Windows Group Policy to enforce strict file permissions and access controls.
🧯 If You Can't Patch
- Implement least privilege access controls to minimize the number of users with local authentication.
- Monitor and audit local user activities for suspicious behavior related to file path manipulation.
🔍 How to Verify
Check if Vulnerable:
Check the installed version of Intel SCS Add-on via SCCM console or by running 'sc query' for related services and verifying version numbers.Check Version:
In Windows, check the program version in Control Panel > Programs and Features, or use PowerShell: Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -like '*Intel SCS Add-on*'} | Select-Object Name, VersionVerify Fix Applied:
Confirm that Intel SCS Add-on version is 2.1.10 or higher using the same version check methods.📡 Detection & Monitoring
Log Indicators:
- Unusual file access or creation in system directories by authenticated users
- Failed or successful privilege escalation attempts in Windows Event Logs (e.g., Event ID 4688).
Network Indicators:
- None specific, as this is a local privilege escalation vulnerability.
SIEM Query:
Example for Splunk: index=windows EventCode=4688 | search "Intel SCS" OR "path manipulation" | stats count by user, process