Last updated at Wed, 01 Feb 2023 21:53:46 GMT
On November 14, 2022, Rapid7's product engineering team discovered that the mechanism in Nexpose and InsightVM used to validate the source of an update file was unreliable. This failure, which involved the internal cryptographic validation of received updates, was designated as CVE-2022-4261, and is an instance of CWE-494. Rapid7's estimate of the CVSSv3.1 base rating for this vulnerability for most environments is 4.4 (Medium). This issue has been resolved in the regular December 7, 2022 release.
Rapid7 Nexpose and InsightVM are vulnerability management systems, used by many enterprises around the world to assess and manage vulnerability exposures present in their networks. You can read more about Nexpose at our website.
This issue was discovered by Rapid7 Principal Software Engineer Emmett Kelly and validated by the Rapid7 Nexpose product team. It is being disclosed in accordance with Rapid7's vulnerability disclosure policy.
Exploitation of this issue is complex. In order to exploit CVE-2022-4261, an attacker would first need to be in a position to provide a malicious update to Nexpose or InsightVM, either through a privileged position on the network, on the local computer that runs Nexpose or InsightVM (with sufficient privileges to initiate an update), or by convincing a Nexpose administrator to apply a maliciously-crafted update through social engineering. Once applied, the update could introduce new functionality to Nexpose that would benefit the attacker.
Because of the complexity involved, we believe that our customers are better suited to make appropriate judgements on the risk of delaying this update, perhaps in accordance with established change control procedures.
Given the requirement of a privileged position on the network or local machine, exploiting CVE-2022-4261, in most circumstances, is academic. Such an adversary is likely to already have many other (and often easier) choices when it comes to leveraging this position to cause trouble on the target network. In the case of a local machine compromise (which is the most likely attack scenario), the attacker could use this position to instead create a fairly permanent ingress avenue to the internal network and exercise the usual lateral movement options documented as ATT&CK technique T1557.
Most Nexpose and InsightVM administrators employ automated updates, and should apply updates either on their already established automated schedules or as soon as it's convenient to do so.
However, administrators that are especially concerned that they could be targeted during their next update, or who believe they have already been compromised by persistent attackers, should disable automatic updates and use the documented Managing Updates without an Internet Connection procedure to fix this issue, after manually validating the authenticity of the update package. Disabling automatic updates completely removes the risk of exploitation of CVE-2022-4261.
Fixing an update system with an update is always fairly complex, given the chicken-and-egg nature of the problem being addressed, as well as the risks involved in using an update system to fix an update system. So, it is out of an abundance of caution that we are publishing this advisory today to ensure that customers who rely on automatic updates are made plainly aware of this issue and can plan accordingly.
Update: On February 1st, Rapid7 released version 6.6.178 to address a secondary issue involving certificate validation with Nexpose and InsightVM, tracked as issue CVE-2022-3913.
- November, 2022: Issues discovered by Emmett Kelly, and validated by the Nexpose product team.
- Wed, Nov 9, 2022: CVE-2022-3913 reserved by Rapid7.
- Thu, Dec 1, 2022: CVE-2022-4261 reserved by Rapid7.
- Wed, Dec 7, 2022 : This disclosure and update 6.6.172 first released.
- Wed, Feb 1, 2023: Product update 6.6.178 released and this disclosure updated to address CVE-2022-3913 in 6.6.178