cnvd - cnvd-2019-22646

CNVD-2019-22646

Vulnerability from cnvd - Published: 2019-07-16

Title

Rapid7’s Windows InsightIDR本地权限提升漏洞

Description

Rapid7 Insight Agent是美国Rapid7公司的一款轻量级软件。该软件能够从IT资产中收集数据。 Rapid7 Insight Agent 2.6.3及之前版本中存在安全漏洞。攻击者可利用该漏洞提升权限至SYSTEM。

Severity

中

Patch Name

Rapid7 Insight Agent本地权限提升漏洞的补丁

Patch Description

Rapid7 Insight Agent是美国Rapid7公司的一款轻量级软件。该软件能够从IT资产中收集数据。 Rapid7 Insight Agent 2.6.3及之前版本中存在安全漏洞。攻击者可利用该漏洞提升权限至SYSTEM。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://help.rapid7.com/insightagent/release-notes/archive/2019/05/#20190529

Reference

http://seclists.org/bugtraq/2019/Jun/0

Impacted products

Name
Rapid7 Insight Agent <=2.6.3

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2019-5629"
    }
  },
  "description": "Rapid7 Insight Agent\u662f\u7f8e\u56fdRapid7\u516c\u53f8\u7684\u4e00\u6b3e\u8f7b\u91cf\u7ea7\u8f6f\u4ef6\u3002\u8be5\u8f6f\u4ef6\u80fd\u591f\u4eceIT\u8d44\u4ea7\u4e2d\u6536\u96c6\u6570\u636e\u3002\n\nRapid7 Insight Agent 2.6.3\u53ca\u4e4b\u524d\u7248\u672c\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u63d0\u5347\u6743\u9650\u81f3SYSTEM\u3002",
  "discovererName": "unknwon",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://help.rapid7.com/insightagent/release-notes/archive/2019/05/#20190529",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2019-22646",
  "openTime": "2019-07-16",
  "patchDescription": "Rapid7 Insight Agent\u662f\u7f8e\u56fdRapid7\u516c\u53f8\u7684\u4e00\u6b3e\u8f7b\u91cf\u7ea7\u8f6f\u4ef6\u3002\u8be5\u8f6f\u4ef6\u80fd\u591f\u4eceIT\u8d44\u4ea7\u4e2d\u6536\u96c6\u6570\u636e\u3002\r\n\r\nRapid7 Insight Agent 2.6.3\u53ca\u4e4b\u524d\u7248\u672c\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u63d0\u5347\u6743\u9650\u81f3SYSTEM\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Rapid7 Insight Agent\u672c\u5730\u6743\u9650\u63d0\u5347\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Rapid7 Insight Agent \u003c=2.6.3"
  },
  "referenceLink": "http://seclists.org/bugtraq/2019/Jun/0",
  "serverity": "\u4e2d",
  "submitTime": "2019-06-04",
  "title": "Rapid7\u2019s Windows InsightIDR\u672c\u5730\u6743\u9650\u63d0\u5347\u6f0f\u6d1e"
}

CVE-2019-5629 (GCVE-0-2019-5629)

Vulnerability from cvelistv5 – Published: 2019-07-13 00:15 – Updated: 2024-09-16 22:45

Summary

Rapid7 Insight Agent, version 2.6.3 and prior, suffers from a local privilege escalation due to an uncontrolled DLL search path. Specifically, when Insight Agent 2.6.3 and prior starts, the Python interpreter attempts to load python3.dll at "C:\DLLs\python3.dll," which normally is writable by locally authenticated users. Because of this, a malicious local user could use Insight Agent's startup conditions to elevate to SYSTEM privileges. This issue was fixed in Rapid7 Insight Agent 2.6.4.

Severity ?

7.8 (High)


                        
                          CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-427 - Uncontrolled Search Path Element

Assigner

rapid7

References

URL

Tags

	https://seclists.org/bugtraq/2019/Jun/0	mailing-listx_refsource_BUGTRAQ
	http://packetstormsecurity.com/files/153159/Rapid…	x_refsource_MISC
	http://seclists.org/fulldisclosure/2019/Jun/13	mailing-listx_refsource_FULLDISC
	https://help.rapid7.com/insightagent/release-note…	x_refsource_CONFIRM
	https://bogner.sh/2019/06/local-privilege-escalat…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	Rapid7	Insight Agent	Affected: 2.6.3 and prior

Credits

This issue was discovered, and reported to Rapid7, by independent researcher Florian Bogner at Bee IT Security. It is being disclosed in accordance with Rapid7's vulnerability disclosure policy (https://www.rapid7.com/disclosure/).

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T20:01:51.670Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "20190603 Rapid7\u0027s Windows InsightIDR Agent: Local Privilege Escalation",
            "tags": [
              "mailing-list",
              "x_refsource_BUGTRAQ",
              "x_transferred"
            ],
            "url": "https://seclists.org/bugtraq/2019/Jun/0"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/153159/Rapid7-Windows-InsightIDR-Agent-2.6.3.14-Local-Privilege-Escalation.html"
          },
          {
            "name": "20190611 Rapid7\u0027s Windows InsightIDR Agent: Local Privilege Escalation",
            "tags": [
              "mailing-list",
              "x_refsource_FULLDISC",
              "x_transferred"
            ],
            "url": "http://seclists.org/fulldisclosure/2019/Jun/13"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://help.rapid7.com/insightagent/release-notes/archive/2019/05/#20190529"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://bogner.sh/2019/06/local-privilege-escalation-in-rapid7s-windows-insight-idr-agent/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Insight Agent",
          "vendor": "Rapid7",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.3 and prior"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "This issue was discovered, and reported to Rapid7, by independent researcher Florian Bogner at Bee IT Security. It is being disclosed in accordance with Rapid7\u0027s vulnerability disclosure policy (https://www.rapid7.com/disclosure/)."
        }
      ],
      "datePublic": "2019-05-29T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Rapid7 Insight Agent, version 2.6.3 and prior, suffers from a local privilege escalation due to an uncontrolled DLL search path. Specifically, when Insight Agent 2.6.3 and prior starts, the Python interpreter attempts to load python3.dll at \"C:\\DLLs\\python3.dll,\" which normally is writable by locally authenticated users. Because of this, a malicious local user could use Insight Agent\u0027s startup conditions to elevate to SYSTEM privileges. This issue was fixed in Rapid7 Insight Agent 2.6.4."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-427",
              "description": "CWE-427: Uncontrolled Search Path Element",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-07-13T00:16:06",
        "orgId": "9974b330-7714-4307-a722-5648477acda7",
        "shortName": "rapid7"
      },
      "references": [
        {
          "name": "20190603 Rapid7\u0027s Windows InsightIDR Agent: Local Privilege Escalation",
          "tags": [
            "mailing-list",
            "x_refsource_BUGTRAQ"
          ],
          "url": "https://seclists.org/bugtraq/2019/Jun/0"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://packetstormsecurity.com/files/153159/Rapid7-Windows-InsightIDR-Agent-2.6.3.14-Local-Privilege-Escalation.html"
        },
        {
          "name": "20190611 Rapid7\u0027s Windows InsightIDR Agent: Local Privilege Escalation",
          "tags": [
            "mailing-list",
            "x_refsource_FULLDISC"
          ],
          "url": "http://seclists.org/fulldisclosure/2019/Jun/13"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://help.rapid7.com/insightagent/release-notes/archive/2019/05/#20190529"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://bogner.sh/2019/06/local-privilege-escalation-in-rapid7s-windows-insight-idr-agent/"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "This issue affects Insight Agent instances at version 2.6.4 and older. Insight Agent will normally update automatically. Otherwise, if your Insight Agent instances are not running 2.6.5 or higher, ensure that you update all instances to 2.6.5 (or later if available)."
        }
      ],
      "source": {
        "advisory": "R7-2019-19",
        "discovery": "EXTERNAL"
      },
      "x_generator": {
        "engine": "Vulnogram 0.0.7"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@rapid7.com",
          "DATE_PUBLIC": "2019-05-29T17:17:00.000Z",
          "ID": "CVE-2019-5629",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Insight Agent",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "2.6.3 and prior"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Rapid7"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "This issue was discovered, and reported to Rapid7, by independent researcher Florian Bogner at Bee IT Security. It is being disclosed in accordance with Rapid7\u0027s vulnerability disclosure policy (https://www.rapid7.com/disclosure/)."
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Rapid7 Insight Agent, version 2.6.3 and prior, suffers from a local privilege escalation due to an uncontrolled DLL search path. Specifically, when Insight Agent 2.6.3 and prior starts, the Python interpreter attempts to load python3.dll at \"C:\\DLLs\\python3.dll,\" which normally is writable by locally authenticated users. Because of this, a malicious local user could use Insight Agent\u0027s startup conditions to elevate to SYSTEM privileges. This issue was fixed in Rapid7 Insight Agent 2.6.4."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.7"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-427: Uncontrolled Search Path Element"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "20190603 Rapid7\u0027s Windows InsightIDR Agent: Local Privilege Escalation",
              "refsource": "BUGTRAQ",
              "url": "https://seclists.org/bugtraq/2019/Jun/0"
            },
            {
              "name": "http://packetstormsecurity.com/files/153159/Rapid7-Windows-InsightIDR-Agent-2.6.3.14-Local-Privilege-Escalation.html",
              "refsource": "MISC",
              "url": "http://packetstormsecurity.com/files/153159/Rapid7-Windows-InsightIDR-Agent-2.6.3.14-Local-Privilege-Escalation.html"
            },
            {
              "name": "20190611 Rapid7\u0027s Windows InsightIDR Agent: Local Privilege Escalation",
              "refsource": "FULLDISC",
              "url": "http://seclists.org/fulldisclosure/2019/Jun/13"
            },
            {
              "name": "https://help.rapid7.com/insightagent/release-notes/archive/2019/05/#20190529",
              "refsource": "CONFIRM",
              "url": "https://help.rapid7.com/insightagent/release-notes/archive/2019/05/#20190529"
            },
            {
              "name": "https://bogner.sh/2019/06/local-privilege-escalation-in-rapid7s-windows-insight-idr-agent/",
              "refsource": "MISC",
              "url": "https://bogner.sh/2019/06/local-privilege-escalation-in-rapid7s-windows-insight-idr-agent/"
            }
          ]
        },
        "solution": [
          {
            "lang": "en",
            "value": "This issue affects Insight Agent instances at version 2.6.4 and older. Insight Agent will normally update automatically. Otherwise, if your Insight Agent instances are not running 2.6.5 or higher, ensure that you update all instances to 2.6.5 (or later if available)."
          }
        ],
        "source": {
          "advisory": "R7-2019-19",
          "discovery": "EXTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
    "assignerShortName": "rapid7",
    "cveId": "CVE-2019-5629",
    "datePublished": "2019-07-13T00:15:43.850364Z",
    "dateReserved": "2019-01-07T00:00:00",
    "dateUpdated": "2024-09-16T22:45:30.681Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2019-22646

CVE-2019-5629 (GCVE-0-2019-5629)

Tags

Sightings

Nomenclature