CVE-2020-27383 – This CVE describes a local privilege escalation... (How to Fix)

Q: What is the severity of CVE-2020-27383?

CVE-2020-27383 has a CVSS score of 7.8 (HIGH). This CVE describes a local privilege escalation vulnerability in the Battle.net launcher where authenticated users can replace the Battle.net.exe file with malicious code. The vulnerability exists because the executable file grants 'Full Control' permissions to the 'Authenticated Users' group. Any Windows system running the vulnerable Battle.net launcher with standard user accounts is affected.

📋 TL;DR

This CVE describes a local privilege escalation vulnerability in the Battle.net launcher where authenticated users can replace the Battle.net.exe file with malicious code. The vulnerability exists because the executable file grants 'Full Control' permissions to the 'Authenticated Users' group. Any Windows system running the vulnerable Battle.net launcher with standard user accounts is affected.

💻 Affected Systems

Products:

Battle.net Launcher

Versions: 1.27.1.12428 and likely earlier versions

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Requires Battle.net launcher installation with default permissions. The vulnerability is in the file permissions, not the application code itself.

📦 What is this software?

Battle.net by Blizzard

View all CVEs affecting Battle.net →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An authenticated attacker could replace Battle.net.exe with malware that runs with elevated privileges, potentially gaining full system control, installing persistent backdoors, or accessing sensitive data.

🟠

Likely Case

Malicious users on shared systems could escalate privileges to install unauthorized software, modify system settings, or access other users' data.

🟢

If Mitigated

With proper file permissions and user account controls, impact is limited to the user's own account scope without privilege escalation.

🌐 Internet-Facing: LOW - This is a local privilege escalation requiring authenticated access to the system.

🏢 Internal Only: HIGH - Shared workstations, gaming cafes, or corporate systems with Battle.net installed are vulnerable to privilege escalation attacks from authenticated users.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated user access and involves simple file replacement operations. Public proof-of-concept code is available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Later versions of Battle.net launcher (check for updates)

Vendor Advisory: Not publicly documented by Blizzard

Restart Required: Yes

Instructions:

1. Open Battle.net launcher 2. Click on Battle.net menu 3. Select 'Check for Updates' 4. Apply any available updates 5. Restart the launcher

🔧 Temporary Workarounds

Modify File Permissions

windows

Remove 'Full Control' permissions for Authenticated Users group on Battle.net.exe

icacls "C:\Program Files (x86)\Battle.net\Battle.net.exe" /remove "Authenticated Users"

Restrict User Access

windows

Limit Battle.net installation to trusted user accounts only

🧯 If You Can't Patch

Remove 'Authenticated Users' group permissions from Battle.net.exe file
Restrict Battle.net installation to systems where all users are fully trusted

🔍 How to Verify

Check if Vulnerable:

Check Battle.net.exe file permissions: icacls "C:\Program Files (x86)\Battle.net\Battle.net.exe" and look for 'Authenticated Users:(F)'

Check Version:

Check Battle.net launcher version in Settings > About or examine file properties

Verify Fix Applied:

Verify Authenticated Users group no longer has Full Control permissions on Battle.net.exe

📡 Detection & Monitoring

Log Indicators:

Windows Security Event ID 4663 (File system access) for Battle.net.exe modifications
Unexpected process creation from Battle.net.exe location

Network Indicators:

Unusual network connections originating from Battle.net.exe process

SIEM Query:

EventID=4663 AND ObjectName="*Battle.net.exe" AND AccessMask=0x1F01FF

📊 Metadata

CVE ID: CVE-2020-27383

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-281

Published: June 9, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/FreySolarEye/CVE/blob/master/Battle%20Net%20Launcher%20Local%20Privilege%20Escalation Exploit,Third Party Advisory
https://github.com/FreySolarEye/CVE/blob/master/Battle%20Net%20Launcher%20Local%20Privilege%20Escalation Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-27383, you might also want to check these: