Advistory: Sidexis 4 Unquoted Service Path Vulnerability
Disclose Date: 2022/10/20
Author: Yannick Chairi
CVE: CVE-2022-44264


Application: Sidexis 4  Version: <= 4.3 (maybe more, only this is confirmed)
Risk: Critical
Vendor Status: Disclosed


Overview:

	The System is delivered and maintained in this state directly by Sirona. 
	The System has an installation of Sidexis 4, a software for reviewing and 
	creating x-rays. Sidexis 4 runs with a Service called Sidexis Service, 
	that Service calls "C:\Program Files\Sirona\SIDEXIS4\SidexisRestService.exe" 
	The Service itself uses a special Service User called "sidexis4service", 
	that User has Local Administrative Privileges. It is possible to hijack 
	that service to gain local administrative privileges on the system affected.


Details:

	The root folder C:\Program Files\Sirona\ and C:\Program Files\Sirona\SIDEXIS4\ 
	have Read/Write/Change Permission set for Everyone (Jeder) , and the Path
	of the service is not in quotes allowing Unquoted Service Path attack. Which 
	could lead to local administrable privileges 
	



Disclosure Timeline:

  20. October 2022	-	Disclosure to Vendor
  23. November 2022	-	CVE number received, reminder sent to vendor
  25. January 2023	-	Disclosed to public