CVE-2021-35508
📋 TL;DR
CVE-2021-35508 is a privilege escalation vulnerability in TeraRecon AQNetClient's NMSAccess32.exe service that allows low-privileged users to execute arbitrary binaries with SYSTEM privileges. Attackers can exploit this by modifying the service configuration or overwriting the binary. This affects organizations using vulnerable versions of TeraRecon AQNetClient.
💻 Affected Systems
- TeraRecon AQNetClient
📦 What is this software?
Aquariusnet by Terarecon
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with SYSTEM privileges leading to complete control over the affected system, data theft, ransomware deployment, or lateral movement across the network.
Likely Case
Privilege escalation from low-privileged user to SYSTEM, enabling installation of malware, persistence mechanisms, or credential harvesting.
If Mitigated
Limited impact if proper access controls prevent low-privileged users from modifying service configurations or binaries.
🎯 Exploit Status
Exploitation requires authenticated low-privileged access and involves simple service manipulation techniques.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.4.14 or later
Vendor Advisory: https://terarecon.sharefile.com/d-s05c8b7792f354a2d8115789a02449c4a
Restart Required: Yes
Instructions:
1. Download the latest version from TeraRecon. 2. Uninstall the vulnerable version. 3. Install the patched version. 4. Restart the system.
🔧 Temporary Workarounds
Restrict Service Permissions
windowsModify Windows service permissions to prevent low-privileged users from changing the NMSAccess32 service configuration.
sc sdset NMSAccess32 D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)
Remove Low-Privileged Access
windowsEnsure only authorized administrators have access to systems running AQNetClient.
🧯 If You Can't Patch
- Implement strict access controls to prevent low-privileged users from accessing systems with AQNetClient.
- Monitor for unauthorized service configuration changes using Windows Event Logs.
🔍 How to Verify
Check if Vulnerable:
Check the AQNetClient version in Control Panel > Programs and Features. If version is 4.4.13 or earlier, the system is vulnerable.Check Version:
wmic product where name="AQNetClient" get versionVerify Fix Applied:
Verify the installed version is 4.4.14 or later and check service permissions using 'sc qc NMSAccess32'.📡 Detection & Monitoring
Log Indicators:
- Windows Event ID 7045: Service configuration changed for NMSAccess32
- Unexpected service stops/starts for NMSAccess32
- Unauthorized file modifications to NMSAccess32.exe
Network Indicators:
- Unusual outbound connections from the AQNetClient system following service manipulation
SIEM Query:
EventID=7045 AND ServiceName="NMSAccess32" | stats count by host🔗 References
- https://terarecon.sharefile.com/d-s05c8b7792f354a2d8115789a02449c4a
- https://www.linkedin.com/pulse/cve-2021-35508-privilege-escalation-via-weak-windows-marshall-mba
- https://terarecon.sharefile.com/d-s05c8b7792f354a2d8115789a02449c4a
- https://www.linkedin.com/pulse/cve-2021-35508-privilege-escalation-via-weak-windows-marshall-mba
