CVE-2021-40396
📋 TL;DR
This CVE describes a local privilege escalation vulnerability in Advantech DeviceOn/iService 1.1.7 where an attacker can replace system files with malicious ones to gain SYSTEM-level privileges. It affects systems running the vulnerable version of this industrial software. Attackers need local access to exploit this vulnerability.
💻 Affected Systems
- Advantech DeviceOn/iService
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with SYSTEM privileges, allowing installation of persistent malware, credential theft, and lateral movement across the network.
Likely Case
Local attackers gain SYSTEM privileges to install backdoors, disable security controls, or access sensitive system resources.
If Mitigated
Limited impact with proper file integrity monitoring, least privilege access controls, and network segmentation in place.
🎯 Exploit Status
Exploitation requires local access but is straightforward once access is obtained. The Talos report provides technical details.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Update to version beyond 1.1.7 (check Advantech for specific fixed version)
Vendor Advisory: https://www.advantech.com/support
Restart Required: Yes
Instructions:
1. Check current DeviceOn/iService version
2. Download latest version from Advantech support portal
3. Backup configuration and data
4. Install updated version
5. Restart system
6. Verify installation and functionality
🔧 Temporary Workarounds
Restrict file permissions
windowsApply strict file system permissions to prevent unauthorized file replacement in installation directories
icacls "C:\Program Files\Advantech\DeviceOn" /inheritance:r /grant:r "SYSTEM:(OI)(CI)F" "Administrators:(OI)(CI)F" /deny "Users:(OI)(CI)(DE,DC)"
Application whitelisting
windowsImplement application control policies to prevent execution of unauthorized binaries
🧯 If You Can't Patch
- Implement strict access controls to limit who can access systems running DeviceOn/iService
- Deploy file integrity monitoring to detect unauthorized file modifications in installation directories
🔍 How to Verify
Check if Vulnerable:
Check installed version of Advantech DeviceOn/iService - if version is 1.1.7, system is vulnerableCheck Version:
Check program files directory or use 'wmic product get name,version' to find Advantech DeviceOn/iService versionVerify Fix Applied:
Verify installed version is updated beyond 1.1.7 and test file replacement attempts in installation directories fail📡 Detection & Monitoring
Log Indicators:
- Windows Security event logs showing file permission changes in Advantech directories
- Application logs showing unexpected file modifications
Network Indicators:
- Unusual outbound connections from DeviceOn/iService host after exploitation
SIEM Query:
EventID=4663 AND ObjectName LIKE '%Advantech%DeviceOn%' AND Accesses='WRITE_DAC' OR Accesses='WRITE_OWNER'