Advistory: Sidexis 4 Local Privilege Escalation Vulnerability
Disclose Date: 2022/10/20
Author: Yannick Chairi
CVE: CVE-2022-44263


Application: Sidexis 4  Version: <= 4.3 (maybe more, only this is confirmed)
Risk: Critical
Vendor Status: Disclosed


Overview:

	The System is delivered and maintained in this state directly by Sirona. 
	The System has an installation of Sidexis 4, a software for reviewing and 
	creating x-rays. Sidexis 4 runs with a Service called Sidexis Service, 
	that Service calls "C:\Program Files\Sirona\SIDEXIS4\SidexisRestService.exe" 
	The Service itself uses a special Service User called "sidexis4service", 
	that User has Local Administrative Privileges. It is possible to hijack 
	that service to gain local administrative privileges on the system affected.


Details:

	The Binary "C:\Program Files\Sirona\SIDEXIS4\SidexisRestService.exe" has 
	Read/Write/Change Permission set for Everyone (Jeder) It is therefore 
	possible to manipulate or switch out the Binary "SidexisRestService.exe" 
	leading to unwanted code execution The Service runs under the context of 
	Local Administrator. An attacker who was able to gain access to that 
	system could abuse this vulnerability to gain local administrative 
	permissions to gain full control over the system


Additional Infos:

	The root folder C:\Program Files\Sirona\ and C:\Program Files\Sirona\SIDEXIS4\ 
	have also Read/Write/Change Permission set for Everyone (Jeder) , and the Path
	of the service is not in quotes allowing also Insecure Service Path attack. 
	This indicates that these dangerous permissions happen during Installationtime 
	of Sidexis 4.


Disclosure Timeline:

  20. October 2022	-	Disclosure to vendor
  23. November 2022	-	CVE Number received, reminder sent to vendor
  25. January 2023	-	Disclosed to public