CVE-2021-47859
📋 TL;DR
CVE-2021-47859 is an unquoted service path vulnerability in ActivIdentity 8.2's ac.sharedstore service that allows local attackers to execute arbitrary code with elevated privileges. Attackers can place malicious executables in the service path to achieve privilege escalation. This affects systems running vulnerable versions of ActivIdentity software.
💻 Affected Systems
- ActivIdentity
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise via local privilege escalation to SYSTEM/administrator level, enabling persistence, lateral movement, and complete control of the affected system.
Likely Case
Local privilege escalation allowing attackers to gain administrative privileges on the compromised system, potentially leading to credential theft and further network access.
If Mitigated
Limited impact with proper access controls, monitoring, and restricted user permissions preventing local code execution.
🎯 Exploit Status
Exploitation requires local access and ability to write to the service path directory. Proof of concept is publicly available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check with HID Global for updated versions
Vendor Advisory: https://www.hidglobal.com/
Restart Required: Yes
Instructions:
1. Contact HID Global for patch information. 2. Apply the official patch. 3. Restart affected systems. 4. Verify the service path is properly quoted.
🔧 Temporary Workarounds
Quote Service Path
windowsManually edit the service configuration to quote the binary path
sc config "ac.sharedstore" binPath= "\"C:\Program Files\Common Files\ActivIdentity\ac.sharedstore.exe\""
Restrict Directory Permissions
windowsRemove write permissions for non-administrative users on the ActivIdentity directory and parent directories
icacls "C:\Program Files\Common Files\ActivIdentity" /deny Users:(OI)(CI)W
🧯 If You Can't Patch
- Implement strict access controls to prevent unauthorized local access to affected systems
- Monitor for suspicious file creation in C:\Program Files\Common Files\ActivIdentity\ and parent directories
🔍 How to Verify
Check if Vulnerable:
Check if the ac.sharedstore service path is unquoted: sc qc "ac.sharedstore" | findstr BINARY_PATH_NAMECheck Version:
Check ActivIdentity version through control panel or registry: reg query "HKLM\SOFTWARE\ActivIdentity" /v VersionVerify Fix Applied:
Verify the service path is quoted and directory permissions are restricted: sc qc "ac.sharedstore" and icacls "C:\Program Files\Common Files\ActivIdentity"📡 Detection & Monitoring
Log Indicators:
- Unexpected service restarts of ac.sharedstore
- File creation events in C:\Program Files\Common Files\ActivIdentity\ directory
Network Indicators:
- Unusual outbound connections from systems running ActivIdentity
SIEM Query:
EventID=4688 AND (NewProcessName="*ActivIdentity*" OR CommandLine="*ac.sharedstore*")