CVE-2020-26155 – This vulnerability in Utimaco SecurityServer al... (How to Fix)

Q: What is the severity of CVE-2020-26155?

CVE-2020-26155 has a CVSS score of 7.8 (HIGH). This vulnerability in Utimaco SecurityServer allows authenticated non-administrator users to manipulate binaries due to overly permissive file/folder permissions. Combined with PATH environment variable entries, this enables DLL hijacking attacks where attackers can execute malicious code with elevated privileges. Affects organizations using Utimaco SecurityServer 4.20.0.4 and 4.31.1.0.

📋 TL;DR

This vulnerability in Utimaco SecurityServer allows authenticated non-administrator users to manipulate binaries due to overly permissive file/folder permissions. Combined with PATH environment variable entries, this enables DLL hijacking attacks where attackers can execute malicious code with elevated privileges. Affects organizations using Utimaco SecurityServer 4.20.0.4 and 4.31.1.0.

💻 Affected Systems

Products:

Utimaco SecurityServer

Versions: 4.20.0.4 and 4.31.1.0

Operating Systems: Windows Server, Linux distributions supported by Utimaco

Default Config Vulnerable: ⚠️ Yes

Notes: Affects default installations with standard permissions. Requires authenticated user access to exploit.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise via privilege escalation leading to complete control of the HSM appliance, potential data exfiltration, and lateral movement within the network.

🟠

Likely Case

Privilege escalation allowing authenticated users to gain administrator-level access to the SecurityServer, potentially compromising cryptographic operations and sensitive data.

🟢

If Mitigated

Limited impact with proper access controls and monitoring, though the vulnerability still exists in the software.

🌐 Internet-Facing: MEDIUM - While typically deployed internally, if exposed to the internet, authenticated attackers could exploit this vulnerability remotely.

🏢 Internal Only: HIGH - Internal authenticated users (including compromised accounts) can exploit this to gain elevated privileges and compromise the HSM.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated user access and knowledge of the vulnerable file locations. DLL hijacking is a well-known technique with available tooling.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.20.0.5 and 4.31.1.1 or later

Vendor Advisory: https://hsm.utimaco.com/support/security-advisories/

Restart Required: Yes

Instructions:

1. Download the latest SecurityServer version from Utimaco support portal. 2. Backup current configuration. 3. Install the updated version following Utimaco's installation guide. 4. Restart the SecurityServer service. 5. Verify proper permissions on installation directories.

🔧 Temporary Workarounds

Restrict File Permissions

all

Manually adjust permissions on SecurityServer installation directories to remove write access for non-administrator users.

Windows: icacls "C:\Program Files\Utimaco\SecurityServer" /deny "Authenticated Users":(OI)(CI)W
Linux: chmod -R o-w /opt/utimaco/securityserver

Remove PATH Entries

all

Remove SecurityServer directories from system PATH environment variable to prevent DLL hijacking.

Windows: setx /M PATH "%PATH:C:\Program Files\Utimaco\SecurityServer;=%"
Linux: Remove SecurityServer paths from /etc/environment or shell profiles

🧯 If You Can't Patch

Implement strict access controls limiting which users can authenticate to the SecurityServer
Deploy application whitelisting to prevent execution of unauthorized binaries in SecurityServer directories

🔍 How to Verify

Check if Vulnerable:

Check file permissions on SecurityServer installation directories - if authenticated users have write access, system is vulnerable.

Check Version:

Windows: reg query "HKLM\SOFTWARE\Utimaco\SecurityServer" /v Version | Linux: cat /opt/utimaco/securityserver/version.txt

Verify Fix Applied:

Verify file permissions no longer grant write access to authenticated users and check SecurityServer version is patched.

📡 Detection & Monitoring

Log Indicators:

Unauthorized file modifications in SecurityServer directories
Unexpected process execution from SecurityServer paths
Failed permission changes on SecurityServer files

Network Indicators:

Unusual authentication patterns to SecurityServer
Unexpected outbound connections from SecurityServer host

SIEM Query:

source="securityserver.log" AND (event_type="file_modification" OR event_type="permission_change") AND user!="admin"

📊 Metadata

CVE ID: CVE-2020-26155

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-427

Published: March 18, 2021

Last Updated: November 21, 2024

🔗 References

https://hsm.utimaco.com/products-hardware-security-modules/general-purpose-hsm/ Exploit,Vendor Advisory
https://secureyourit.co.uk/wp/2021/03/13/utimaco-cve-2020-26155/ Third Party Advisory
https://hsm.utimaco.com/products-hardware-security-modules/general-purpose-hsm/ Exploit,Vendor Advisory
https://secureyourit.co.uk/wp/2021/03/13/utimaco-cve-2020-26155/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-26155, you might also want to check these: