CVE-2020-15592
📋 TL;DR
This vulnerability allows local attackers to escalate privileges on Windows systems running vulnerable versions of SteelCentral Aternity Agent. By exploiting a directory traversal flaw in plugin loading, attackers can load arbitrary malicious DLLs with SYSTEM-level privileges. Organizations using Aternity Agent versions before 11.0.0.120 on Windows are affected.
💻 Affected Systems
- SteelCentral Aternity Agent
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise via privilege escalation to SYSTEM, enabling installation of persistent malware, credential theft, and lateral movement across the network.
Likely Case
Local attackers gain administrative privileges on affected systems, allowing them to bypass security controls, install unauthorized software, and access sensitive data.
If Mitigated
With proper access controls and monitoring, impact is limited to individual compromised systems rather than network-wide compromise.
🎯 Exploit Status
Exploitation requires local access to the system. The vulnerability is well-documented with technical details available in public advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 11.0.0.120 or later
Vendor Advisory: https://aternity.force.com/customersuccess/s/article/Recorder-tool-security-notification-mitigation-steps-for-On-Prem
Restart Required: Yes
Instructions:
1. Download Aternity Agent version 11.0.0.120 or later from official Riverbed sources. 2. Deploy the update to all affected Windows systems. 3. Restart systems to complete the installation.
🔧 Temporary Workarounds
Restrict plugin directory permissions
windowsSet strict permissions on the plugins directory to prevent unauthorized DLL placement
icacls "%PROGRAMFILES(X86)%\Aternity Information Systems\Assistant\plugins" /deny Everyone:(OI)(CI)F
🧯 If You Can't Patch
- Implement strict access controls to limit who can interact with Aternity Agent processes
- Monitor for suspicious DLL loading from the plugins directory using endpoint detection tools
🔍 How to Verify
Check if Vulnerable:
Check the Aternity Agent version in Control Panel > Programs and Features or via the agent interfaceCheck Version:
wmic product where "name like '%Aternity%'" get versionVerify Fix Applied:
Verify the agent version is 11.0.0.120 or higher and test that directory traversal attempts are blocked📡 Detection & Monitoring
Log Indicators:
- Failed attempts to load DLLs from outside the plugins directory
- Unusual DLL loading events from Aternity processes
Network Indicators:
- Unusual outbound connections from Aternity Agent processes post-exploitation
SIEM Query:
Process Creation where (Image contains 'Aternity' OR ParentImage contains 'Aternity') AND CommandLine contains '.dll' AND CommandLine contains '..'🔗 References
- https://aternity.force.com/customersuccess/s/article/Recorder-tool-security-notification-mitigation-steps-for-On-Prem
- https://sec-consult.com/en/blog/advisories/privilege-escalation-vulnerability-in-steelcentral-aternity-agent-cve-2020-15592-cve-2020-15593/
- https://aternity.force.com/customersuccess/s/article/Recorder-tool-security-notification-mitigation-steps-for-On-Prem
- https://sec-consult.com/en/blog/advisories/privilege-escalation-vulnerability-in-steelcentral-aternity-agent-cve-2020-15592-cve-2020-15593/
