Rapid7 researcher Danny Jordan discovered two vulnerabilities in the Automox Agent for Windows and macOS, which could result in information disclosure issues involving the Automox infrastructure. CVE-2021-26908 describes a vulnerability where Automox Agent improperly logs sensitive information on the local endpoint, and has a CVSS score of 3.3 (Low). CVE-2021-26909 describes a vulnerability that exposes an easily guessed endpoint in the Automox AWS infrastructure, and has a severity of 3.7. Both of these issues have been fixed by the vendor.
Automox provides programmatic solutions for the bulk management of remote endpoints, through its flagship product, the Automox Agent. More about Automox Agent and how it can help reduce attack surface can be found at the vendor's website.
This issue was discovered by cybersecurity researcher Danny Jordan, and it is being disclosed in accordance with Rapid7's vulnerability disclosure policy.
For CVE-2021-26908, an attacker would first need to be an authenticated user of an endpoint being managed by Automox Agent. That person could read the local log files to discover the command-line arguments Automox Agent used in the past to install endpoint security solutions, which can include sensitive information such as site-specific tokens being passed as command line arguments. These tokens, in turn, could be used to uninstall and deprovision the security solution in a way that is difficult to detect as anything other than normal, authorized maintenance.
For CVE-2021-26909, an attacker can start guessing at a relatively easy-to-guess endpoint in the Automox AWS infrastructure:
hxxps://automox-policy-files.s3.us-west-2.amazonaws.com/<6 digit policy ID>/filename.extension
An attacker can then download sensitive internal files, such as those that prove that the endpoint is a trusted endpoint in a given security program.
While both of these issues amount to low-severity information disclosure issues, they could be useful to either a malicious insider or an attacker who is posing as an insider. CVE-2021-26908, the logfile issue, could be used by malicious insiders to learn site-specific information about the endpoint, including material that could be used to uninstall endpoint security components. CVE-2021-26909, the predictable S3 bucket URL, could be used to discover what sorts of endpoint security solutions are in use for a particular site, and possibly allow an attacker to misuse those resources to impersonate a trusted end point.
Automox continually works to identify and fix security vulnerabilities in our product and infrastructure. We innovate and improve our platform to protect our customers and their infrastructure from adversaries. We are confident in the effectiveness and security of our products and the processes implemented internally to prevent exploitation. At Automox, we believe that the community around us helps to create a better and safer world and we would like to thank Danny Jordan and the Rapid 7 team for helping us secure our product for our end users.
Users of the Automox Agent should ensure they are running the latest, patched version of the software, version 31, available via the usual channels for updating provided by the vendor. All Automox agents prior to version 31 were affected by CVE-2021-26908 and CVE-2021-26909. Automox has removed all sensitive information from these agent logs and has masked and attached a time to live to these URLs to prevent an attacker from guessing them.
This disclosure was prepared in accordance with Rapid7's vulnerability disclosure policy.
- Wednesday, Feb. 3, 2021: Initial discovery by Danny Jordan of Rapid7
- Tuesday, Feb. 9, 2021: Reported to the vendor per their VDP.
- Wednesday, Feb. 24, 2021: Followed up with the vendor with more details, discussed patching schedules
- Tuesday, April 6, 2021: Fixes (Agent version 31) released
- Tuesday, April 13, 2021: Public disclosure from Rapid7 and Automox