Metasploit Pro 4.16 and earlier install the web server SSL server.key as local-user readable by default

2019-11-08T06:53:44
ID AKB:840AFA91-FC8E-4CFB-B206-1AA1B1A1EFDD
Type attackerkb
Reporter AttackerKB
Modified 2020-07-24T00:26:10

Description

Rapid7 Metasploit Pro version 4.16.0-2019081901 and prior suffers from an instance of CWE-732, wherein the unique server.key is written to the file system during installation with world-readable permissions. This can allow other users of the same system where Metasploit Pro is installed to intercept otherwise private communications to the Metasploit Pro web interface.

Recent assessments:

busterb at 2019-11-14T18:11:16.616954Z reported: This requires authentication via a remote shell in order to be effective. If an adversary is on your Metasploit Pro machine such that they can access the key in the first place, it's already game-over. So, having the web-server certificate key (which is by default a fake cert anyway) is unlikely to be a high risk for a Metasploit Pro user.

Assessed Attacker Value: 1 Assessed Exploitability: 1