CVE-2023-6631 – This vulnerability in PowerSYSTEM Center allows... (How to Fix)

Q: What is the severity of CVE-2023-6631?

CVE-2023-6631 has a CVSS score of 7.8 (HIGH). This vulnerability in PowerSYSTEM Center allows a local user with existing system access to escalate privileges by inserting malicious code into an unquoted service path. It affects versions 2020 Update 16 and earlier. Attackers need local access to exploit this vulnerability.

📋 TL;DR

This vulnerability in PowerSYSTEM Center allows a local user with existing system access to escalate privileges by inserting malicious code into an unquoted service path. It affects versions 2020 Update 16 and earlier. Attackers need local access to exploit this vulnerability.

💻 Affected Systems

Products:

PowerSYSTEM Center

Versions: 2020 Update 16 and all prior versions

Operating Systems: Windows (based on service path vulnerability)

Default Config Vulnerable: ⚠️ Yes

Notes: Requires local user access to the system running PowerSYSTEM Center. The vulnerability is in how service paths are handled.

📦 What is this software?

Powersystem Center by Subnet

View all CVEs affecting Powersystem Center →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker with local access gains full SYSTEM/administrator privileges, enabling complete system compromise, data theft, and lateral movement within the network.

🟠

Likely Case

Malicious insider or compromised user account escalates privileges to install persistent backdoors, steal credentials, or disable security controls.

🟢

If Mitigated

With proper access controls and monitoring, exploitation would be detected and contained before significant damage occurs.

🌐 Internet-Facing: LOW - This requires local system access, not remote exploitation.

🏢 Internal Only: HIGH - Any compromised local account or malicious insider can exploit this to gain full system control.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires local access and knowledge of unquoted service path techniques. No public exploit code has been identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2020 Update 17 or later (check vendor advisory for exact version)

Vendor Advisory: https://subnet.com/contact/

Restart Required: Yes

Instructions:

1. Download the latest PowerSYSTEM Center update from the vendor. 2. Apply the patch following vendor instructions. 3. Restart the PowerSYSTEM Center service and verify functionality.

🔧 Temporary Workarounds

Quote Service Path

windows

Manually modify the service path to include quotes around the executable path

sc config "ServiceName" binPath= ""C:\Path\To\Executable.exe"" arguments

Restrict Local Access

all

Limit local user access to systems running PowerSYSTEM Center

🧯 If You Can't Patch

Implement strict least privilege access controls to limit who has local access to affected systems
Enable detailed auditing and monitoring of service creation/modification events and privilege escalation attempts

🔍 How to Verify

Check if Vulnerable:

Check PowerSYSTEM Center version - if it's 2020 Update 16 or earlier, the system is vulnerable. Also check for unquoted service paths using: sc query | findstr BINARY_PATH_NAME

Check Version:

Check PowerSYSTEM Center application version through its interface or installation directory

Verify Fix Applied:

Verify PowerSYSTEM Center version is 2020 Update 17 or later. Check that service paths are properly quoted.

📡 Detection & Monitoring

Log Indicators:

Windows Event ID 4697 (Service creation)
Unexpected service modifications
Privilege escalation attempts

Network Indicators:

Unusual outbound connections from PowerSYSTEM Center server
Lateral movement attempts from the affected system

SIEM Query:

source="Windows Security" EventID=4697 | where ServiceName contains "PowerSYSTEM" OR ImagePath contains spaces without quotes

📊 Metadata

CVE ID: CVE-2023-6631

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-428

Published: January 8, 2024

Last Updated: November 21, 2024

🔗 References

https://subnet.com/contact/ Product
https://www.cisa.gov/news-events/ics-advisories/icsa-23-353-01 Third Party Advisory,US Government Resource
https://subnet.com/contact/ Product
https://www.cisa.gov/news-events/ics-advisories/icsa-23-353-01 Third Party Advisory,US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-6631, you might also want to check these: