CVE-2021-3394
📋 TL;DR
CVE-2021-3394 is a local privilege escalation vulnerability in Millennium Millewin (Cartella clinica) software due to insecure folder permissions. An authenticated local attacker can exploit this to gain SYSTEM-level privileges on Windows systems. This affects healthcare organizations using vulnerable versions of the medical records software.
💻 Affected Systems
- Millennium Millewin
- Cartella clinica
📦 What is this software?
Millewin by Millewin
Millewin by Millewin
Millewin by Millewin
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with SYSTEM privileges, allowing installation of malware, data theft, or ransomware deployment across the healthcare network.
Likely Case
Local privilege escalation leading to unauthorized access to sensitive patient medical records and administrative functions within the healthcare system.
If Mitigated
Limited to standard user privileges with proper access controls, preventing escalation to SYSTEM-level access.
🎯 Exploit Status
Exploit requires local authenticated access. Public exploit code available on Exploit-DB and Packet Storm.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Contact vendor for patched version
Vendor Advisory: No public vendor advisory found
Restart Required: Yes
Instructions:
1. Contact Millennium/Millewin vendor for security patches
2. Apply patches to all affected systems
3. Restart systems after patch application
4. Verify folder permissions are properly secured
🔧 Temporary Workarounds
Secure Folder Permissions
windowsManually adjust folder permissions to restrict write access to installation directories
icacls "C:\Program Files\Millewin" /inheritance:r /grant:r "SYSTEM:(OI)(CI)F" "Administrators:(OI)(CI)F" "Users:(OI)(CI)RX"
Quote Service Paths
windowsEnsure all service paths are properly quoted in Windows registry
sc config "MillewinService" binPath= "\"C:\Program Files\Millewin\service.exe\""
🧯 If You Can't Patch
- Implement strict access controls and least privilege principles for all user accounts
- Monitor for suspicious file creation in Millewin installation directories and service-related activities
🔍 How to Verify
Check if Vulnerable:
Check if Millewin service paths are unquoted: sc qc "MillewinService" | findstr BINARY_PATH_NAME. Check folder permissions: icacls "C:\Program Files\Millewin"Check Version:
Check software version in About dialog or installation directory propertiesVerify Fix Applied:
Verify service paths are quoted and folder permissions restrict write access to authorized users only📡 Detection & Monitoring
Log Indicators:
- Windows Event ID 4688 (Process Creation) showing execution from Millewin directories with SYSTEM privileges
- Unexpected file creation in Millewin installation folders
Network Indicators:
- No specific network indicators as this is local privilege escalation
SIEM Query:
source="windows" AND (event_id=4688 AND process_path="*Millewin*" AND user="SYSTEM") OR (event_id=4663 AND object_name="*Millewin*" AND access_mask="0x2")🔗 References
- http://packetstormsecurity.com/files/161334/Millewin-13.39.028-Unquoted-Service-Path-Insecure-Permissions.html
- https://www.exploit-db.com/exploits/49530
- http://packetstormsecurity.com/files/161334/Millewin-13.39.028-Unquoted-Service-Path-Insecure-Permissions.html
- https://www.exploit-db.com/exploits/49530
