CVE-2024-50591
📋 TL;DR
This CVE describes a local privilege escalation vulnerability in Elefant Update Service where an attacker with local access can execute arbitrary commands as SYSTEM via command injection. The vulnerability affects medical office computers running Elefant Software Updater. Attackers can gain full system control by sending crafted messages to the named pipe service.
💻 Affected Systems
- Elefant Software Updater (ESU)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with SYSTEM privileges, allowing installation of persistent malware, credential theft, lateral movement, and data exfiltration from medical systems.
Likely Case
Local attacker gains SYSTEM privileges to install keyloggers, ransomware, or backdoors on medical office computers, potentially accessing sensitive patient data.
If Mitigated
With proper network segmentation and least privilege, impact limited to single workstation, though SYSTEM access still allows significant local damage.
🎯 Exploit Status
Exploit requires local access but no authentication to the service. Public disclosure includes technical details making weaponization likely.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not specified in CVE details
Vendor Advisory: https://hasomed.de/produkte/elefant/
Restart Required: Yes
Instructions:
1. Contact Hasomed vendor for patched version
2. Install updated Elefant Software Updater
3. Restart affected systems
4. Verify service is running patched version
🔧 Temporary Workarounds
Disable Elefant Update Service
windowsStop and disable the vulnerable service to prevent exploitation
sc stop "Elefant Update Service"
sc config "Elefant Update Service" start= disabled
Restrict Named Pipe Access
windowsApply Windows security policies to restrict access to the vulnerable named pipe
icacls "\\.\pipe\ElefantUpdatePipe" /deny Everyone:(F)
Note: Pipe name may vary - check actual pipe name first
🧯 If You Can't Patch
- Implement strict network segmentation to isolate medical workstations
- Apply principle of least privilege and monitor for unusual SYSTEM privilege usage
🔍 How to Verify
Check if Vulnerable:
Check if Elefant Update Service is running: sc query "Elefant Update Service" and check version if possibleCheck Version:
Check with vendor-specific version check or examine installed program versionVerify Fix Applied:
Verify service is updated to patched version and test command injection is no longer possible📡 Detection & Monitoring
Log Indicators:
- Unusual SYSTEM privilege escalation events
- Process creation from Elefant Update Service with unexpected command lines
- Named pipe communication anomalies
Network Indicators:
- Local named pipe communication patterns to Elefant service
SIEM Query:
Process Creation where ParentImage contains "Elefant" AND CommandLine contains suspicious patterns (cmd.exe, powershell, etc)