Full Report
An attacker with network access to the target workstation can send specially crafted packets with serialized data, which may cause remote code execution upon deserialization.
Analysis Summary
# Vulnerability: Remote Code Execution in ARC Informatique PcVue
## CVE Details
- **CVE ID:** CVE-2020-26867
- **CVSS Score:** 9.8 (Critical)
- **CWE:** CWE-502: Deserialization of Untrusted Data
## Affected Systems
- **Products:** ARC Informatique PcVue (specifically the Web & Mobile back end server components)
- **Versions:**
- 8.10.0 through 11.2.06100 (excluding)
- 12.0.0 through 12.0.23 (excluding)
- 15.0.0 through 15.1.2 (excluding)
- **Configurations:** Systems where the Web & Mobile extensions (Property Server) are installed and accessible via the network.
## Vulnerability Description
The vulnerability exists due to the insecure handling of serialized data within the Property Server component of the PcVue Web & Mobile extensions. An attacker can send specially crafted packets containing malicious serialized data to the target workstation. Upon deserialization, the application fails to validate the input, allowing for the execution of arbitrary processes on the Web & Mobile back end server.
## Exploitation
- **Status:** PoC available
- **Complexity:** Low
- **Attack Vector:** Network (Port 8090/TCP)
## Impact
- **Confidentiality:** High (Full access to data on the back end server)
- **Integrity:** High (Ability to modify system files and data)
- **Availability:** High (Potential to crash services or take over the host)
## Remediation
### Patches
Update to the following versions or newer:
- v11.2.06100
- v12.0.23
- v15.1.2
### Workarounds
- **Feature Removal:** If Web & Mobile features are not required, uninstall these extensions.
- **Access Control:** Restrict network access to port 8090/TCP using a firewall to allow only authorized traffic.
## Detection
- **Indicators of Compromise:** Unusual network traffic patterns or unexpected process execution originating from the PcVue Web & Mobile back end server.
- **Detection Methods:**
- Implement a Network Intrusion Detection System (NIDS) to monitor for abnormal traffic on port 8090/TCP.
- Monitor server logs for deserialization errors or unauthorized access attempts.
## References
- **Vendor Advisories:** hxxps[://]www[.]pcvuesolutions[.]com/index[.]php/support-a-services/product-updates
- **Kaspersky ICS CERT:** hxxps[://]ics-cert[.]kaspersky[.]com/advisories/2020/10/09/klcert-20-015-remote-code-execution-in-arc-informatique-pcvue/
- **NVD:** hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2020-26867