Lucene search

Rapid7CVE-2023-0242

HistoryJan 18, 2023 - 9:15 p.m.

CVE-2023-0242

2023-01-1821:15:11

CWE-269

CWE-862

rapid7

web.nvd.nist.gov

rapid7 velociraptor

vql

copy() function

file overwrite

security vulnerability

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

8.6

Confidence

High

EPSS

0.001

Percentile

43.1%

JSON

Rapid7 Velociraptor allows users to be created with different privileges on the server. Administrators are generally allowed to run any command on the server including writing arbitrary files. However, lower privilege users are generally forbidden from writing or modifying files on the server.

The VQL copy() function applies permission checks for reading files but does not check for permission to write files. This allows a low privilege user (usually, users with the Velociraptor “investigator” role) to overwrite files on the server, including Velociraptor configuration files.

To exploit this vulnerability, the attacker must already have a Velociraptor user account at a low privilege level (at least “analyst”) and be able to log into the GUI and create a notebook where they can run the VQL query invoking the copy() VQL function. Typically, most users deploy Velociraptor with limited access to a trusted group (most users will be administrators within the GUI).
This vulnerability is associated with program files https://github.Com/Velocidex/velociraptor/blob/master/vql/filesystem/copy.go https://github.Com/Velocidex/velociraptor/blob/master/vql/filesystem/copy.go and program routines copy().

This issue affects Velociraptor versions before 0.6.7-5. Version 0.6.7-5, released January 16, 2023, fixes the issue.

Affected configurations

Nvd

Node

rapid7velociraptorRange<0.6.7-5

VendorProductVersionCPE
rapid7velociraptor*cpe:2.3:a:rapid7:velociraptor:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
rapid7	velociraptor	*	cpe:2.3:a:rapid7:velociraptor::::::::

CNA Affected

[
  {
    "collectionURL": "https://github.com/Velocidex/velociraptor/releases",
    "defaultStatus": "unaffected",
    "modules": [
      "VQL copy() function"
    ],
    "packageName": "Velociraptor",
    "platforms": [
      "Linux",
      "Windows",
      "MacOS",
      "64 bit",
      "32 bit"
    ],
    "product": "Velociraptor",
    "programFiles": [
      "https://github.com/Velocidex/velociraptor/blob/master/vql/filesystem/copy.go"
    ],
    "programRoutines": [
      {
        "name": "copy()"
      }
    ],
    "repo": "https://github.com/Velocidex/velociraptor/",
    "vendor": "Rapid7",
    "versions": [
      {
        "changes": [
          {
            "at": "5",
            "status": "unaffected"
          }
        ],
        "lessThan": "0.6.7-5",
        "status": "affected",
        "version": "0",
        "versionType": "semver"
      }
    ]
  }
]

References

docs.velociraptor.app/announcements/2023-cves/#:~:text=to%20upgrade%20clients.-,CVE%2D2023%2D0242,-Insufficient%20Permission%20Check

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

8.6

Confidence

High

EPSS

0.001

Percentile

43.1%

JSON

Related for CVE-2023-0242