CVE-2024-50590 (GCVE-0-2024-50590)
Vulnerability from cvelistv5 – Published: 2024-11-08 11:45 – Updated: 2025-11-03 22:28
VLAI?
Title
Local Privilege Escalation via Weak Service Binary Permissions
Summary
Attackers with local access to the medical office computer can
escalate their Windows user privileges to "NT AUTHORITY\SYSTEM" by
overwriting one of two Elefant service binaries with weak permissions. The default installation directory of Elefant is "C:\Elefant1" which is
writable for all users. In addition, the Elefant installer registers two
Firebird database services which are running as “NT AUTHORITY\SYSTEM”.
Path: C:\Elefant1\Firebird_2\bin\fbserver.exe
Path: C:\Elefant1\Firebird_2\bin\fbguard.exe
Both service binaries are user writable. This means that a local
attacker can rename one of the service binaries, replace the service
executable with a new executable, and then restart the system. Once the
system has rebooted, the new service binary is executed as "NT
AUTHORITY\SYSTEM".
Severity ?
7.8 (High)
CWE
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Credits
Tobias Niemann, SEC Consult Vulnerability Lab
Daniel Hirschberger, SEC Consult Vulnerability Lab
Florian Stuhlmann, SEC Consult Vulnerability Lab
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:hasomed:elefant:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "elefant",
"vendor": "hasomed",
"versions": [
{
"lessThan": "24.04.00",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-50590",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-08T15:33:19.207618Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-08T15:35:03.204Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T22:28:27.033Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://seclists.org/fulldisclosure/2024/Nov/3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Elefant",
"vendor": "HASOMED",
"versions": [
{
"status": "affected",
"version": "\u003c24.04.00",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tobias Niemann, SEC Consult Vulnerability Lab"
},
{
"lang": "en",
"type": "finder",
"value": "Daniel Hirschberger, SEC Consult Vulnerability Lab"
},
{
"lang": "en",
"type": "finder",
"value": "Florian Stuhlmann, SEC Consult Vulnerability Lab"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003eAttackers with local access to the medical office computer can \nescalate their Windows user privileges to \"NT AUTHORITY\\SYSTEM\" by \noverwriting one of two Elefant service binaries with weak permissions.\u0026nbsp;The default installation directory of Elefant is \"C:\\Elefant1\" which is \nwritable for all users. In addition, the Elefant installer registers two\n Firebird database services which are running as \u201cNT AUTHORITY\\SYSTEM\u201d.\u0026nbsp;\u003c/p\u003e\u003cp\u003ePath: C:\\Elefant1\\Firebird_2\\bin\\fbserver.exe\u003c/p\u003e\u003cp\u003ePath: C:\\Elefant1\\Firebird_2\\bin\\fbguard.exe\u003cbr\u003e\u003c/p\u003e\u003cp\u003eBoth service binaries are user writable. This means that a local \nattacker can rename one of the service binaries, replace the service \nexecutable with a new executable, and then restart the system. Once the \nsystem has rebooted, the new service binary is executed as \"NT \nAUTHORITY\\SYSTEM\".\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e"
}
],
"value": "Attackers with local access to the medical office computer can \nescalate their Windows user privileges to \"NT AUTHORITY\\SYSTEM\" by \noverwriting one of two Elefant service binaries with weak permissions.\u00a0The default installation directory of Elefant is \"C:\\Elefant1\" which is \nwritable for all users. In addition, the Elefant installer registers two\n Firebird database services which are running as \u201cNT AUTHORITY\\SYSTEM\u201d.\u00a0\n\nPath: C:\\Elefant1\\Firebird_2\\bin\\fbserver.exe\n\nPath: C:\\Elefant1\\Firebird_2\\bin\\fbguard.exe\n\n\nBoth service binaries are user writable. This means that a local \nattacker can rename one of the service binaries, replace the service \nexecutable with a new executable, and then restart the system. Once the \nsystem has rebooted, the new service binary is executed as \"NT \nAUTHORITY\\SYSTEM\"."
}
],
"impacts": [
{
"capecId": "CAPEC-642",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-642 Replace Binaries"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-276",
"description": "CWE-276 Incorrect Default Permissions",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-732",
"description": "CWE-732 Incorrect Permission Assignment for Critical Resource",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-250",
"description": "CWE-250 Execution with Unnecessary Privileges",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-08T11:45:04.756Z",
"orgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
"shortName": "SEC-VLab"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://r.sec-consult.com/hasomed"
},
{
"tags": [
"patch"
],
"url": "https://hasomed.de/produkte/elefant/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe vendor fixed the issue in version 24.04.00\u0026nbsp;(or higher) which can be downloaded from \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://hasomed.de/produkte/elefant/\"\u003ehasomed.de/produkte/elefant/\u003c/a\u003e or via the Elefant Software Updater.\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "The vendor fixed the issue in version 24.04.00\u00a0(or higher) which can be downloaded from hasomed.de/produkte/elefant/ https://hasomed.de/produkte/elefant/ or via the Elefant Software Updater."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Local Privilege Escalation via Weak Service Binary Permissions",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eWhile workarounds such as modifying the Elefant windows firewall \nrules and manually adjusting file permissions in the installation folder\n are feasible workarounds for some of the vulnerabilities, it is \nrecommended to install the patches provided by the vendor.\u003c/p\u003e"
}
],
"value": "While workarounds such as modifying the Elefant windows firewall \nrules and manually adjusting file permissions in the installation folder\n are feasible workarounds for some of the vulnerabilities, it is \nrecommended to install the patches provided by the vendor."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
"assignerShortName": "SEC-VLab",
"cveId": "CVE-2024-50590",
"datePublished": "2024-11-08T11:45:04.756Z",
"dateReserved": "2024-10-25T07:26:12.628Z",
"dateUpdated": "2025-11-03T22:28:27.033Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.8, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-50590\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-11-08T15:33:19.207618Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:hasomed:elefant:*:*:*:*:*:*:*:*\"], \"vendor\": \"hasomed\", \"product\": \"elefant\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"24.04.00\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-11-08T15:34:57.247Z\"}}], \"cna\": {\"title\": \"Local Privilege Escalation via Weak Service Binary Permissions\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Tobias Niemann, SEC Consult Vulnerability Lab\"}, {\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Daniel Hirschberger, SEC Consult Vulnerability Lab\"}, {\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Florian Stuhlmann, SEC Consult Vulnerability Lab\"}], \"impacts\": [{\"capecId\": \"CAPEC-642\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-642 Replace Binaries\"}]}], \"affected\": [{\"vendor\": \"HASOMED\", \"product\": \"Elefant\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c24.04.00\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unaffected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"The vendor fixed the issue in version 24.04.00\\u00a0(or higher) which can be downloaded from hasomed.de/produkte/elefant/ https://hasomed.de/produkte/elefant/ or via the Elefant Software Updater.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eThe vendor fixed the issue in version 24.04.00\u0026nbsp;(or higher) which can be downloaded from \u003ca target=\\\"_blank\\\" rel=\\\"nofollow\\\" href=\\\"https://hasomed.de/produkte/elefant/\\\"\u003ehasomed.de/produkte/elefant/\u003c/a\u003e or via the Elefant Software Updater.\u003cbr\u003e\u003c/p\u003e\", \"base64\": false}]}], \"references\": [{\"url\": \"https://r.sec-consult.com/hasomed\", \"tags\": [\"third-party-advisory\"]}, {\"url\": \"https://hasomed.de/produkte/elefant/\", \"tags\": [\"patch\"]}], \"workarounds\": [{\"lang\": \"en\", \"value\": \"While workarounds such as modifying the Elefant windows firewall \\nrules and manually adjusting file permissions in the installation folder\\n are feasible workarounds for some of the vulnerabilities, it is \\nrecommended to install the patches provided by the vendor.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eWhile workarounds such as modifying the Elefant windows firewall \\nrules and manually adjusting file permissions in the installation folder\\n are feasible workarounds for some of the vulnerabilities, it is \\nrecommended to install the patches provided by the vendor.\u003c/p\u003e\", \"base64\": false}]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Attackers with local access to the medical office computer can \\nescalate their Windows user privileges to \\\"NT AUTHORITY\\\\SYSTEM\\\" by \\noverwriting one of two Elefant service binaries with weak permissions.\\u00a0The default installation directory of Elefant is \\\"C:\\\\Elefant1\\\" which is \\nwritable for all users. In addition, the Elefant installer registers two\\n Firebird database services which are running as \\u201cNT AUTHORITY\\\\SYSTEM\\u201d.\\u00a0\\n\\nPath: C:\\\\Elefant1\\\\Firebird_2\\\\bin\\\\fbserver.exe\\n\\nPath: C:\\\\Elefant1\\\\Firebird_2\\\\bin\\\\fbguard.exe\\n\\n\\nBoth service binaries are user writable. This means that a local \\nattacker can rename one of the service binaries, replace the service \\nexecutable with a new executable, and then restart the system. Once the \\nsystem has rebooted, the new service binary is executed as \\\"NT \\nAUTHORITY\\\\SYSTEM\\\".\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003eAttackers with local access to the medical office computer can \\nescalate their Windows user privileges to \\\"NT AUTHORITY\\\\SYSTEM\\\" by \\noverwriting one of two Elefant service binaries with weak permissions.\u0026nbsp;The default installation directory of Elefant is \\\"C:\\\\Elefant1\\\" which is \\nwritable for all users. In addition, the Elefant installer registers two\\n Firebird database services which are running as \\u201cNT AUTHORITY\\\\SYSTEM\\u201d.\u0026nbsp;\u003c/p\u003e\u003cp\u003ePath: C:\\\\Elefant1\\\\Firebird_2\\\\bin\\\\fbserver.exe\u003c/p\u003e\u003cp\u003ePath: C:\\\\Elefant1\\\\Firebird_2\\\\bin\\\\fbguard.exe\u003cbr\u003e\u003c/p\u003e\u003cp\u003eBoth service binaries are user writable. This means that a local \\nattacker can rename one of the service binaries, replace the service \\nexecutable with a new executable, and then restart the system. Once the \\nsystem has rebooted, the new service binary is executed as \\\"NT \\nAUTHORITY\\\\SYSTEM\\\".\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-276\", \"description\": \"CWE-276 Incorrect Default Permissions\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-732\", \"description\": \"CWE-732 Incorrect Permission Assignment for Critical Resource\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-250\", \"description\": \"CWE-250 Execution with Unnecessary Privileges\"}]}], \"providerMetadata\": {\"orgId\": \"551230f0-3615-47bd-b7cc-93e92e730bbf\", \"shortName\": \"SEC-VLab\", \"dateUpdated\": \"2024-11-08T11:45:04.756Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2024-50590\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-11-08T15:35:03.204Z\", \"dateReserved\": \"2024-10-25T07:26:12.628Z\", \"assignerOrgId\": \"551230f0-3615-47bd-b7cc-93e92e730bbf\", \"datePublished\": \"2024-11-08T11:45:04.756Z\", \"assignerShortName\": \"SEC-VLab\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…