CVE-2020-12775 – CVE-2020-12775 is a command injection vulnerabi... (How to Fix)

Q: What is the severity of CVE-2020-12775?

CVE-2020-12775 has a CVSS score of 9.8 (CRITICAL). CVE-2020-12775 is a command injection vulnerability in the Hicos citizen certificate client-side component that allows unauthenticated remote attackers to execute arbitrary system commands by exploiting improper input filtering in web URLs. This affects systems using the vulnerable Hicos software component for citizen certificate authentication. Attackers can disrupt services or gain control of affected systems.

📋 TL;DR

CVE-2020-12775 is a command injection vulnerability in the Hicos citizen certificate client-side component that allows unauthenticated remote attackers to execute arbitrary system commands by exploiting improper input filtering in web URLs. This affects systems using the vulnerable Hicos software component for citizen certificate authentication. Attackers can disrupt services or gain control of affected systems.

💻 Affected Systems

Products:

Hicos citizen certificate client-side component

Versions: Specific vulnerable versions not explicitly stated in references, but all versions before patching are affected

Operating Systems: Windows (primary), potentially other OS where Hicos is deployed

Default Config Vulnerable: ⚠️ Yes

Notes: Affects systems using the Hicos citizen certificate authentication plugin for web applications.

📦 What is this software?

Hicos by Moica

View all CVEs affecting Hicos →

Hicos by Moica

View all CVEs affecting Hicos →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to execute arbitrary commands with system privileges, install malware, exfiltrate data, or disrupt critical services.

🟠

Likely Case

Remote code execution leading to service disruption, data theft, or installation of backdoors on vulnerable systems.

🟢

If Mitigated

Limited impact with proper network segmentation, input validation, and least privilege principles in place.

🌐 Internet-Facing: HIGH - The vulnerability is exploitable via web URLs without authentication, making internet-facing systems particularly vulnerable.

🏢 Internal Only: MEDIUM - Internal systems are still vulnerable but may have additional network controls reducing exposure.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability is straightforward to exploit as it involves command injection via web parameters without authentication requirements.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not explicitly specified in references, but patches were released by the vendor

Vendor Advisory: https://www.twcert.org.tw/tw/cp-132-5695-421a7-1.html

Restart Required: Yes

Instructions:

1. Check the vendor advisory for specific patch details. 2. Download and apply the official patch from the vendor. 3. Restart affected services. 4. Verify the fix is applied.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement strict input validation to filter special characters in command parameters

Implement web application firewall rules to block malicious patterns
Add input sanitization in application code

Network Segmentation

all

Isolate systems using Hicos component from internet access

Configure firewall rules to restrict access to Hicos endpoints
Implement network segmentation

🧯 If You Can't Patch

Implement strict web application firewall rules to block command injection patterns
Disable or remove the Hicos citizen certificate component if not essential

🔍 How to Verify

Check if Vulnerable:

Check if Hicos citizen certificate component is installed and review version against vendor advisory

Check Version:

Check application documentation or system registry for Hicos component version

Verify Fix Applied:

Test for command injection by attempting to inject special characters in web parameters and verify they are properly filtered

📡 Detection & Monitoring

Log Indicators:

Unusual command execution patterns
Failed authentication attempts with special characters
System command execution from web processes

Network Indicators:

HTTP requests containing command injection patterns to Hicos endpoints
Unusual outbound connections from web servers

SIEM Query:

search source="web_logs" AND (url="*rac_plugin*" AND (param="*;*" OR param="*|*" OR param="*`*"))

📊 Metadata

CVE ID: CVE-2020-12775

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: March 1, 2022

Last Updated: November 21, 2024

🔗 References

https://moica.nat.gov.tw/rac_plugin.html Patch,Vendor Advisory
https://www.twcert.org.tw/tw/cp-132-5695-421a7-1.html Third Party Advisory
https://moica.nat.gov.tw/rac_plugin.html Patch,Vendor Advisory
https://www.twcert.org.tw/tw/cp-132-5695-421a7-1.html Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-12775, you might also want to check these: