Elevation of Privilege Vulnerability in Origin Client
EASEC-2020-002
Severity: Important
CVSS Score: 7.8
Impact: Elevation of Privilege
Status: Fixed
Affected Software: Origin for Mac & PC version 10.5.86 (or earlier)
CVE ID: CVE-2020-27708
Description
A vulnerability exists in the Origin Client that could allow a non-Administrative user to elevate their access to either Administrator or System. Once the user has obtained elevated access, they may be able to take control of the system and perform actions otherwise reserved for high privileged users or system Administrators.
Attack Scenario
To successfully leverage the vulnerability, the attacker needs to have valid user credentials with the ability to log-on to the computer that has the Origin Client installed. After an attacker has successfully logged onto the system, they must then create a specifically named directory in a fixed location on C:\, and add a specially crafted Qt plugin to that directory.
Elevating to System
After following the above steps, the attacker can elevate to NT AUTHORITY\System privileges by taking the following steps:
- Stop the “Origin Client Service.”
- Restart the “Origin Client Service.”
Elevating to Administrator
After following the above steps, the attacker must either:
- Wait for another user with Administrator privileges to run the Origin Client Installer or Origin Client Uninstaller and follow the UAC elevation prompt; or
- Convince the Administrative user to run the Origin Client, Origin Crash Reporter or Origin Error Reporter with Administrative privileges.
Mitigations
Mitigations describe factors that limit the likelihood or impact of an attacker successfully leveraging the vulnerability.
- A successful attack requires that the attacker have a valid account on the local machine that has the Origin Client installed.
- For scenarios that elevate to Administrator, the attacker would need to convince an administrative user to run an Origin application with elevated privileges. The administrative user would need to approve a UAC prompt to do this.
Workarounds
Workarounds are steps EA customers can take to reduce the potential for an attacker to leverage the vulnerability if they cannot or choose not to install the update.
- In order to temporarily limit the likelihood of the vulnerability being executed by non-privileged users, the system Administrator may choose to remove the local login rights or disable non-administrator accounts.
Resolution
To address the vulnerability players with Administrator rights are advised to install the latest version of the Origin Client, version 10.5.87.
On the next player login, the player will be required to update before entering their credentials. If they are already logged in, they will need to restart Origin to get the update.
Frequently Asked Questions
How is Issue Severity Determined?
Issue severity is based on a 4-point scale ranging from Critical to Low. As part of our investigation, security engineers determine the overall ease of exploitation and how an attacker would need to successfully exploit the vulnerability. Typically, the fewer barriers that exist to exploitation combined with a higher Security Impact, the higher the Issue Severity designation. More information about how we classify security impact and severity can be found here.
What causes the vulnerability?
The vulnerability is caused by the way in which Origin instantiates Qt applications, coupled with how Qt can be configured to load plugins. This allows a local user to manipulate the locations from which Origin can load Qt plugins. An attacker could supply a specially crafted QT plugin, which will be executed under the context of Administrator or System.
What is Qt?
Qt is a free and open-source widget toolkit for creating graphical user interfaces as well as cross-platform applications that run on various software and hardware platforms.
How do I know if I am vulnerable?
If Origin client version 10.5.86 or earlier is installed on the system, it is vulnerable to this issue.
How does the update resolve the vulnerability?
The update restricts the dynamic loading of Origin Qt plugins to specific, predefined directories, which are only editable by an Administrator account.
Why doesn’t Restricted Access Mode prevent this vulnerability?
When a user enables Restricted Access Mode, it restricts non-administrative access to Origin files and directories. RAM does not restrict access to locations used by third party components, because doing so may break other applications on a player’s system. This means an attacker can edit or create a new Qt plugin directory, even if RAM is enabled.
Has this vulnerability been used against EA’s customers?
No. At the time of publication of this advisory we are not aware of any attacks against EA’s players that leverage this vulnerability.
Acknowledgement(s)
EA thanks the following security researcher for their discovery and reporting it to us in accordance with Coordinated Vulnerability Disclosure practices:
Date Published: October 29, 2020
Version: 1.0