CVE-2024-11220 – This vulnerability allows local low-privileged ... (How to Fix)

Q: What is the severity of CVE-2024-11220?

CVE-2024-11220 has a CVSS score of 7.8 (HIGH). This vulnerability allows local low-privileged users on servers running OAS services to execute arbitrary code with SYSTEM privileges by creating and running reports with malicious rdlx files. This results in complete privilege escalation on affected systems. Organizations using Open Automation Software products are affected.

📋 TL;DR

This vulnerability allows local low-privileged users on servers running OAS services to execute arbitrary code with SYSTEM privileges by creating and running reports with malicious rdlx files. This results in complete privilege escalation on affected systems. Organizations using Open Automation Software products are affected.

💻 Affected Systems

Products:

Open Automation Software products with OAS services

Versions: Specific versions not detailed in advisory; all versions prior to patched version are likely affected

Operating Systems: Windows (since SYSTEM privileges are Windows-specific)

Default Config Vulnerable: ⚠️ Yes

Notes: Requires OAS services to be running and user to have credentials to access those services.

📦 What is this software?

Open Automation Software by Openautomationsoftware

View all CVEs affecting Open Automation Software →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise where an attacker gains SYSTEM privileges, enabling installation of persistent malware, credential theft, lateral movement, and full control of the server.

🟠

Likely Case

Privilege escalation by legitimate low-level users or attackers who have gained initial access, leading to unauthorized administrative access and potential data exfiltration.

🟢

If Mitigated

Limited impact due to restricted local access, proper user account management, and network segmentation preventing lateral movement.

🌐 Internet-Facing: LOW - This requires local access to the server, not directly exploitable over the internet.

🏢 Internal Only: HIGH - Any low-privileged user with access to the server can escalate to SYSTEM privileges, posing significant internal threat.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access to OAS services but is straightforward once access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not specified in references; check vendor advisory for latest patched version

Vendor Advisory: https://openautomationsoftware.com/downloads/

Restart Required: Yes

Instructions:

1. Download latest version from Open Automation Software website. 2. Install update following vendor instructions. 3. Restart OAS services and affected systems.

🔧 Temporary Workarounds

Restrict Local User Access

windows

Limit which users have local access to servers running OAS services

Remove Unnecessary OAS Service Credentials

windows

Review and remove OAS service credentials from low-privileged users who don't require them

🧯 If You Can't Patch

Implement strict principle of least privilege for all local user accounts
Segment OAS servers from critical systems and monitor for suspicious activity

🔍 How to Verify

Check if Vulnerable:

Check if OAS services are running and if low-privileged users have access credentials. Review system for unauthorized rdlx file execution.

Check Version:

Check OAS software version through vendor-provided tools or control panel

Verify Fix Applied:

Verify OAS software version is updated to latest release from vendor and test that low-privileged users cannot execute rdlx files with elevated privileges.

📡 Detection & Monitoring

Log Indicators:

Unusual rdlx file creation or execution events
Privilege escalation attempts in Windows security logs
OAS service authentication from unexpected users

Network Indicators:

Unusual outbound connections from OAS servers post-exploitation

SIEM Query:

Windows Event ID 4688 with process creation containing 'rdlx' OR OAS service authentication logs showing privilege changes

📊 Metadata

CVE ID: CVE-2024-11220

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-279

Published: December 6, 2024

Last Updated: January 23, 2025

🔗 References

https://openautomationsoftware.com/downloads/ Product
https://www.cisa.gov/news-events/ics-advisories/icsa-24-338-03 US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-11220, you might also want to check these: