CVERadar

CVE-2024-10526

Medium Severity

SVRS

36/100

CVSSv3

NA/10

EPSS

0.00025/1

CVE-2024-10526: Rapid7 Velociraptor MSI Installer vulnerability allows local users to gain unauthorized control. Versions prior to 0.73.3 incorrectly grant WRITE_DACL permission to the BUILTIN\Users group during installation. This flaw enables non-administrator users to assign themselves full control over Velociraptor's files, potentially leading to arbitrary code execution as the SYSTEM user. Even though the SVRS is only 36, indicating a low risk, the ability to subvert the Velociraptor service is a critical security concern. By modifying or replacing Velociraptor binaries, attackers could compromise the entire system. Upgrade to version 0.73.3 or later to mitigate this vulnerability and prevent potential privilege escalation attacks. The presence of the "In The Wild" tag suggests that this vulnerability has been actively exploited, underscoring the importance of patching.

TAGS

In The Wild

VECTOR STRING

PUBLICATION DATE2024-11-07

LAST MODIFIED2024-11-08

SOCRadar

AI Insight

Description

CVE-2024-10526 affects Rapid7 Velociraptor MSI Installer versions below 0.73.3. It allows local users who are not administrators to gain Full Control permission over Velociraptor's files, potentially leading to arbitrary code execution as the SYSTEM user or complete binary replacement. The SVRS of 46 indicates a moderate risk, requiring attention and timely mitigation.

Key Insights

Privilege Escalation: The vulnerability enables non-administrative users to elevate their privileges to the SYSTEM level, granting them extensive control over the system.
Code Execution: By modifying Velociraptor's files, attackers can execute arbitrary code with elevated privileges, potentially compromising the entire system.
Binary Replacement: The vulnerability allows attackers to replace the Velociraptor binary, potentially disabling security measures or installing malicious software.

Mitigation Strategies

Update Velociraptor: Install the latest version (0.73.3 or later) of Rapid7 Velociraptor MSI Installer to address the vulnerability.
Restrict User Permissions: Implement access controls to prevent non-administrative users from modifying Velociraptor's files.
Monitor System Activity: Regularly monitor system logs and activity for any suspicious behavior or unauthorized changes to Velociraptor's files.
Use Antivirus Software: Employ robust antivirus software to detect and block malicious code that may exploit this vulnerability.

Additional Information

Threat Actors/APT Groups: No specific threat actors or APT groups have been identified as actively exploiting this vulnerability.
Exploit Status: Active exploits have not been published.
CISA Warnings: The Cybersecurity and Infrastructure Security Agency (CISA) has not issued a warning for this vulnerability.
In the Wild: The vulnerability is not known to be actively exploited in the wild.

If users have additional queries regarding this incident, they can use the 'Ask to Analyst' feature, contact SOCRadar directly, or open a support ticket for more information if necessary.

Indicators of Compromise

No IOCs found for this CVE

Exploits

No exploits found for this CVE

Enhance Your CVE Management with SOCRadar Vulnerability Intelligence

Get comprehensive CVE details, real-time notifications, and proactive threat management all in one platform.

CREATE FREE ACCOUNT

CVE Details

Access comprehensive CVE information instantly

Real-time Tracking

Subscribe to CVEs and get instant updates

Exploit Analysis

Monitor related APT groups and threats

IOC Tracking

Analyze and track CVE-related IOCs

News

CVE-2024-10526 | Rapid7 Velociraptor up to 0.73.2 MSI Installer file access

vuldb.com2024-11-08

CVE-2024-10526 | Rapid7 Velociraptor up to 0.73.2 MSI Installer file access | A vulnerability, which was classified as critical, was found in Rapid7 Velociraptor up to 0.73.2. This affects an unknown part of the component MSI Installer. The manipulation leads to files or directories accessible. This vulnerability is uniquely identified as CVE-2024-10526. Attacking locally is a requirement. There is no exploit available

vuldb.com

rss

forum

news

Social Media

CVE

@CVEnew

2024-11-07

CVE-2024-10526 Rapid7 Velociraptor MSI Installer versions below 0.73.3 suffer from a vulnerability whereby it creates the installation directory with WRITE_DACL permission to the BU… https://t.co/EQk0Qad19J

Affected Software

No affected software found for this CVE

References

Reference	Link
[email protected]	https://docs.velociraptor.app/announcements/2024-cves/

CWE Details

CWE ID	CWE Name	Description
CWE-552	Files or Directories Accessible to External Parties	The product makes files or directories accessible to unauthorized actors, even though they should not be.
CWE-732	Incorrect Permission Assignment for Critical Resource	The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

CVE Radar

Real-time CVE Intelligence & Vulnerability Management Platform

CVE Radar provides comprehensive vulnerability intelligence by monitoring CVE databases, security advisories, and threat feeds. Get instant updates on new vulnerabilities, exploit details, and mitigation strategies specific to your assets.

Get Free Vulnerability Intelligence AccessAccess real-time CVE monitoring, exploit analysis, and threat intelligence