CVE-2023-0242 – Insufficient permission check in the VQL copy() function
https://notcve.org/view.php?id=CVE-2023-0242
Rapid7 Velociraptor allows users to be created with different privileges on the server. Administrators are generally allowed to run any command on the server including writing arbitrary files. However, lower privilege users are generally forbidden from writing or modifying files on the server. The VQL copy() function applies permission checks for reading files but does not check for permission to write files. This allows a low privilege user (usually, users with the Velociraptor "investigator" role) to overwrite files on the server, including Velociraptor configuration files. To exploit this vulnerability, the attacker must already have a Velociraptor user account at a low privilege level (at least "analyst") and be able to log into the GUI and create a notebook where they can run the VQL query invoking the copy() VQL function. Typically, most users deploy Velociraptor with limited access to a trusted group (most users will be administrators within the GUI). This vulnerability is associated with program files https://github.Com/Velocidex/velociraptor/blob/master/vql/filesystem/copy.go https://github.Com/Velocidex/velociraptor/blob/master/vql/filesystem/copy.go and program routines copy(). This issue affects Velociraptor versions before 0.6.7-5. • https://docs.velociraptor.app/announcements/2023-cves/#:~:text=to%20upgrade%20clients.-,CVE%2D2023%2D0242,-Insufficient%20Permission%20Check • CWE-269: Improper Privilege Management CWE-862: Missing Authorization •
CVE-2017-5242 – Rapid7 Nexpose Virtual Appliance Duplicate SSH Host Key
https://notcve.org/view.php?id=CVE-2017-5242
Nexpose and InsightVM virtual appliances downloaded between April 5th, 2017 and May 3rd, 2017 contain identical SSH host keys. Normally, a unique SSH host key should be generated the first time a virtual appliance boots. Los dispositivos virtuales Nexpose e InsightVM descargados entre el 5 de abril de 2017 y el 3 de mayo de 2017 contienen claves de host SSH idénticas. Normalmente, se debe generar una clave de host SSH única la primera vez que se inicia un dispositivo virtual. • https://www.rapid7.com/blog/post/2017/05/17/rapid7-nexpose-virtual-appliance-duplicate-ssh-host-key-cve-2017-5242 • CWE-321: Use of Hard-coded Cryptographic Key CWE-330: Use of Insufficiently Random Values •
CVE-2022-4261 – Rapid7 Nexpose Update Validation Issue
https://notcve.org/view.php?id=CVE-2022-4261
Rapid7 Nexpose and InsightVM versions prior to 6.6.172 failed to reliably validate the authenticity of update contents. This failure could allow an attacker to provide a malicious update and alter the functionality of Rapid7 Nexpose. The attacker would need some pre-existing mechanism to provide a malicious update, either through a social engineering effort, privileged access to replace downloaded updates in transit, or by performing an Attacker-in-the-Middle attack on the update service itself. Las versiones de Rapid7 Nexpose e InsightVM anteriores a la 6.6.172 no lograron validar de manera confiable la autenticidad del contenido de la actualización. Este fallo podría permitir que un atacante proporcione una actualización maliciosa y altere la funcionalidad de Rapid7 Nexpose. • https://docs.rapid7.com/release-notes/insightvm/20221207 https://docs.rapid7.com/release-notes/nexpose/20221207 https://www.rapid7.com/blog/post/2022/12/7/cve-2022-4261-rapid7-nexpose-update-validation-issue-fixed • CWE-494: Download of Code Without Integrity Check •
CVE-2019-5641 – Rapid7 InsightVM Information Disclosure after Logout
https://notcve.org/view.php?id=CVE-2019-5641
Rapid7 InsightVM suffers from an information exposure issue whereby, when the user's session has ended due to inactivity, an attacker can use the Inspect Element browser feature to remove the login panel and view the details available in the last webpage visited by previous user Rapid7 InsightVM sufre un problema de exposición de información por el que, cuando la sesión del usuario ha finalizado por inactividad, un atacante puede usar la función del navegador Inspect Element para eliminar el panel de acceso y visualizar los detalles disponibles en la última página web visitada por el usuario anterior • https://docs.rapid7.com/release-notes/insightvm/20220830 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-613: Insufficient Session Expiration •
CVE-2022-35632 – XSS in User Interface
https://notcve.org/view.php?id=CVE-2022-35632
The Velociraptor GUI contains an editor suggestion feature that can display the description field of a VQL function, plugin or artifact. This field was not properly sanitized and can lead to cross-site scripting (XSS). This issue was resolved in Velociraptor 0.6.5-2. La Interfaz Gráfica de Velociraptor contiene una funcionalidad editor suggestion que puede mostrar el campo de descripción de una función VQL, plugin o artefacto. Este campo no estaba apropiadamente saneado y puede conllevar a un ataque de tipo cross-site scripting (XSS). • https://www.rapid7.com/blog/post/2022/07/26/cve-2022-35629-35632-velociraptor-multiple-vulnerabilities-fixed • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •