CVE-2023-28143 (GCVE-0-2023-28143)
Vulnerability from cvelistv5 – Published: 2023-04-18 15:54 – Updated: 2025-02-05 20:25
VLAI?
Summary
Qualys Cloud Agent for macOS (versions 2.5.1-75 before 3.7)
installer allows a local escalation of privilege bounded only to the time of
installation and only on older macOSX (macOS 10.15 and older) versions.
Attackers may exploit incorrect file permissions to give them ROOT command
execution privileges on the host. During the install of the PKG, a step in the
process involves extracting the package and copying files to several
directories. Attackers may gain writable access to files during the install of
PKG when extraction of the package and copying files to several directories,
enabling a local escalation of privilege.
Severity ?
6.7 (Medium)
CWE
- CWE-426 - Untrusted Search Path
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Qualys | Cloud Agent |
Affected:
2.5.1-75 , < 3.7
(custom)
|
Credits
Lockheed Martin Red Team
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T12:30:24.348Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://qualys.com/security-advisories"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-28143",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-05T20:25:47.361002Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-05T20:25:58.551Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"MacOS"
],
"product": "Cloud Agent",
"vendor": "Qualys",
"versions": [
{
"lessThan": "3.7",
"status": "affected",
"version": "2.5.1-75",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Lockheed Martin Red Team"
}
],
"datePublic": "2023-04-18T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003c/p\u003e\u003cp\u003eQualys Cloud Agent for macOS (versions 2.5.1-75 before 3.7)\ninstaller allows a local escalation of privilege bounded only to the time of\ninstallation and only on older macOSX (macOS 10.15 and older) versions.\nAttackers may exploit incorrect file permissions to give them ROOT command\nexecution privileges on the host. During the install of the PKG, a step in the\nprocess involves extracting the package and copying files to several\ndirectories. Attackers may gain writable access to files during the install of\nPKG when extraction of the package and copying files to several directories,\nenabling a local escalation of privilege.\u003c/p\u003e\n\n\n\n\n\n\u003cp\u003e\u003c/p\u003e"
}
],
"value": "\nQualys Cloud Agent for macOS (versions 2.5.1-75 before 3.7)\ninstaller allows a local escalation of privilege bounded only to the time of\ninstallation and only on older macOSX (macOS 10.15 and older) versions.\nAttackers may exploit incorrect file permissions to give them ROOT command\nexecution privileges on the host. During the install of the PKG, a step in the\nprocess involves extracting the package and copying files to several\ndirectories. Attackers may gain writable access to files during the install of\nPKG when extraction of the package and copying files to several directories,\nenabling a local escalation of privilege.\n\n\n\n\n\n\n\n\n\n"
}
],
"exploits": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Proof of Concept"
}
],
"value": "Proof of Concept"
}
],
"impacts": [
{
"capecId": "CAPEC-30",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-30 Hijacking a Privileged Thread of Execution"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-426",
"description": "CWE-426 Untrusted Search Path",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-18T15:54:16.031Z",
"orgId": "8a309ac4-d8c7-4735-9c1d-ca39c5dfbcda",
"shortName": "Qualys"
},
"references": [
{
"url": "https://qualys.com/security-advisories"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpgrade to v3.7 for Qualys\nCloud Agent for MacOS.\u003c/p\u003e\n\n\n\n\n\n\u003cbr\u003e"
}
],
"value": "Upgrade to v3.7 for Qualys\nCloud Agent for MacOS.\n\n\n\n\n\n\n\n\n"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Local Privilege Escalation",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "8a309ac4-d8c7-4735-9c1d-ca39c5dfbcda",
"assignerShortName": "Qualys",
"cveId": "CVE-2023-28143",
"datePublished": "2023-04-18T15:54:16.031Z",
"dateReserved": "2023-03-10T21:23:28.797Z",
"dateUpdated": "2025-02-05T20:25:58.551Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"configurations": "[{\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:qualys:cloud_agent:*:*:*:*:*:macos:*:*\", \"versionStartIncluding\": \"2.5.1-75\", \"versionEndExcluding\": \"3.7\", \"matchCriteriaId\": \"1FDE3FE5-9778-453F-A9EE-CC9978DEFEB2\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"10.15\", \"matchCriteriaId\": \"22A86A9E-554E-48DD-A654-AC8AABED90FD\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"\\nQualys Cloud Agent for macOS (versions 2.5.1-75 before 3.7)\\ninstaller allows a local escalation of privilege bounded only to the time of\\ninstallation and only on older macOSX (macOS 10.15 and older) versions.\\nAttackers may exploit incorrect file permissions to give them ROOT command\\nexecution privileges on the host. During the install of the PKG, a step in the\\nprocess involves extracting the package and copying files to several\\ndirectories. Attackers may gain writable access to files during the install of\\nPKG when extraction of the package and copying files to several directories,\\nenabling a local escalation of privilege.\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\"}]",
"id": "CVE-2023-28143",
"lastModified": "2024-11-21T07:54:28.893",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"bugreport@qualys.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H\", \"baseScore\": 6.7, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 0.8, \"impactScore\": 5.9}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 7.0, \"baseSeverity\": \"HIGH\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 1.0, \"impactScore\": 5.9}]}",
"published": "2023-04-18T16:15:09.223",
"references": "[{\"url\": \"https://qualys.com/security-advisories\", \"source\": \"bugreport@qualys.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://qualys.com/security-advisories\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
"sourceIdentifier": "bugreport@qualys.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"bugreport@qualys.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-426\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-426\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2023-28143\",\"sourceIdentifier\":\"bugreport@qualys.com\",\"published\":\"2023-04-18T16:15:09.223\",\"lastModified\":\"2024-11-21T07:54:28.893\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"\\nQualys Cloud Agent for macOS (versions 2.5.1-75 before 3.7)\\ninstaller allows a local escalation of privilege bounded only to the time of\\ninstallation and only on older macOSX (macOS 10.15 and older) versions.\\nAttackers may exploit incorrect file permissions to give them ROOT command\\nexecution privileges on the host. During the install of the PKG, a step in the\\nprocess involves extracting the package and copying files to several\\ndirectories. Attackers may gain writable access to files during the install of\\nPKG when extraction of the package and copying files to several directories,\\nenabling a local escalation of privilege.\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"bugreport@qualys.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":6.7,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":0.8,\"impactScore\":5.9},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.0,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.0,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"bugreport@qualys.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-426\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-426\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:qualys:cloud_agent:*:*:*:*:*:macos:*:*\",\"versionStartIncluding\":\"2.5.1-75\",\"versionEndExcluding\":\"3.7\",\"matchCriteriaId\":\"1FDE3FE5-9778-453F-A9EE-CC9978DEFEB2\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"10.15\",\"matchCriteriaId\":\"22A86A9E-554E-48DD-A654-AC8AABED90FD\"}]}]}],\"references\":[{\"url\":\"https://qualys.com/security-advisories\",\"source\":\"bugreport@qualys.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://qualys.com/security-advisories\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://qualys.com/security-advisories\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T12:30:24.348Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-28143\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-02-05T20:25:47.361002Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-02-05T20:25:27.324Z\"}}], \"cna\": {\"title\": \"Local Privilege Escalation\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"reporter\", \"user\": \"00000000-0000-4000-9000-000000000000\", \"value\": \"Lockheed Martin Red Team\"}], \"impacts\": [{\"capecId\": \"CAPEC-30\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-30 Hijacking a Privileged Thread of Execution\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.7, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Qualys\", \"product\": \"Cloud Agent\", \"versions\": [{\"status\": \"affected\", \"version\": \"2.5.1-75\", \"lessThan\": \"3.7\", \"versionType\": \"custom\"}], \"platforms\": [\"MacOS\"], \"defaultStatus\": \"unaffected\"}], \"exploits\": [{\"lang\": \"en\", \"value\": \"Proof of Concept\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Proof of Concept\", \"base64\": false}]}], \"solutions\": [{\"lang\": \"en\", \"value\": \"Upgrade to v3.7 for Qualys\\nCloud Agent for MacOS.\\n\\n\\n\\n\\n\\n\\n\\n\\n\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eUpgrade to v3.7 for Qualys\\nCloud Agent for MacOS.\u003c/p\u003e\\n\\n\\n\\n\\n\\n\u003cbr\u003e\", \"base64\": false}]}], \"datePublic\": \"2023-04-18T16:00:00.000Z\", \"references\": [{\"url\": \"https://qualys.com/security-advisories\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"\\nQualys Cloud Agent for macOS (versions 2.5.1-75 before 3.7)\\ninstaller allows a local escalation of privilege bounded only to the time of\\ninstallation and only on older macOSX (macOS 10.15 and older) versions.\\nAttackers may exploit incorrect file permissions to give them ROOT command\\nexecution privileges on the host. During the install of the PKG, a step in the\\nprocess involves extracting the package and copying files to several\\ndirectories. Attackers may gain writable access to files during the install of\\nPKG when extraction of the package and copying files to several directories,\\nenabling a local escalation of privilege.\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003e\u003c/p\u003e\u003cp\u003eQualys Cloud Agent for macOS (versions 2.5.1-75 before 3.7)\\ninstaller allows a local escalation of privilege bounded only to the time of\\ninstallation and only on older macOSX (macOS 10.15 and older) versions.\\nAttackers may exploit incorrect file permissions to give them ROOT command\\nexecution privileges on the host. During the install of the PKG, a step in the\\nprocess involves extracting the package and copying files to several\\ndirectories. Attackers may gain writable access to files during the install of\\nPKG when extraction of the package and copying files to several directories,\\nenabling a local escalation of privilege.\u003c/p\u003e\\n\\n\\n\\n\\n\\n\u003cp\u003e\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-426\", \"description\": \"CWE-426 Untrusted Search Path\"}]}], \"providerMetadata\": {\"orgId\": \"8a309ac4-d8c7-4735-9c1d-ca39c5dfbcda\", \"shortName\": \"Qualys\", \"dateUpdated\": \"2023-04-18T15:54:16.031Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2023-28143\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-02-05T20:25:58.551Z\", \"dateReserved\": \"2023-03-10T21:23:28.797Z\", \"assignerOrgId\": \"8a309ac4-d8c7-4735-9c1d-ca39c5dfbcda\", \"datePublished\": \"2023-04-18T15:54:16.031Z\", \"assignerShortName\": \"Qualys\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…