CVE-2020-13539
📋 TL;DR
This vulnerability allows local attackers to escalate privileges on systems running Win-911 Enterprise V4.20.13 by exploiting weak file system permissions in the installation directory. Attackers can overwrite executables that run with higher privileges, potentially gaining full system control. Only users with local access to affected Win-911 Enterprise installations are impacted.
💻 Affected Systems
- Win-911 Enterprise
📦 What is this software?
Win 911 by Win911
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise where an attacker gains SYSTEM/administrator privileges, enabling installation of persistent malware, data theft, and full control over the industrial control system.
Likely Case
Local privilege escalation allowing attackers to bypass security controls, install additional tools, and move laterally within the network.
If Mitigated
Limited impact with proper access controls, file integrity monitoring, and least privilege principles in place.
🎯 Exploit Status
Exploitation requires local access to the system and knowledge of the vulnerable directory structure. The vulnerability is straightforward to exploit once initial access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 4.20.14 or later
Vendor Advisory: https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1150
Restart Required: Yes
Instructions:
1. Download Win-911 Enterprise version 4.20.14 or later from the vendor. 2. Stop the WIN-911 Mobile Runtime service. 3. Install the updated version. 4. Restart the service and verify proper operation.
🔧 Temporary Workarounds
Restrict File System Permissions
windowsManually adjust permissions on the Win-911 installation directory to prevent unauthorized write access.
icacls "C:\Program Files\Win-911 Enterprise" /inheritance:r /grant:r "SYSTEM:(OI)(CI)F" /grant:r "Administrators:(OI)(CI)F" /grant:r "Users:(OI)(CI)RX"
Disable Vulnerable Service
windowsStop and disable the WIN-911 Mobile Runtime service if not required for operations.
sc stop "WIN-911 Mobile Runtime"
sc config "WIN-911 Mobile Runtime" start= disabled
🧯 If You Can't Patch
- Implement strict access controls to limit who can log into systems running Win-911 Enterprise.
- Deploy file integrity monitoring on the Win-911 installation directory to detect unauthorized modifications.
🔍 How to Verify
Check if Vulnerable:
Check if Win-911 Enterprise version 4.20.13 is installed and verify file permissions on the installation directory allow write access to non-administrative users.Check Version:
Check the version in Control Panel > Programs and Features or examine the Win-911 application properties.Verify Fix Applied:
Confirm installation of version 4.20.14 or later and verify that only SYSTEM and Administrators have write permissions to the Win-911 directory.📡 Detection & Monitoring
Log Indicators:
- Windows Security Event ID 4663 (File system access) showing unauthorized write attempts to Win-911 directories
- Application logs showing unexpected service restarts or failures
Network Indicators:
- Unusual outbound connections from Win-911 systems following local access events
SIEM Query:
EventID=4663 AND ObjectName LIKE '%Win-911%' AND AccessMask=0x2