Today we are announcing four fixed vulnerabilities in four Rapid7 products, summarized in the table below. These issues are low to medium severity (mostly due to the high exploitation requirements), but we want to make sure that our customers have all the information they need to make informed security decisions. This article includes detailed descriptions of the vulnerabilities, as well as how to ensure they are mitigated in your environment. Some of the updates are automatic, but some may require manual action, so we recommend you review sections about products you have deployed.

If you are a Rapid7 customer who has any questions about these issues, please don't hesitate to contact your customer success manager (CSM), our support team, or leave a comment below.

Rapid7 ID CVE Product Vulnerability Status
R7-2017-24 CVE-2017-5252 Insight Agent for Windows DLL Injection Patched in v1.4.68
R7-2017-22 n/a Metasploit Pro, Express, Community, Ultimate Forced logout via CSRF Patched in v4.14.1-20170828
R7-2017-26 n/a Logentries Server Side Template Injection Patched on Aug 10, 2017
R7-2017-15 CVE-2017-5248 AppSpider Pro Unauthenticated Reports Retrieval Patched in v6.14.077

CVE-2017-5252 || Insight Agent: DLL Injection

All versions of the Insight Agent on Windows prior to version 1.4.68, which was released today, were vulnerable to loading malicious libraries placed in the dependency search path. Rapid7 assigned CVE-2017-5252 to this vulnerability, which is classified as CWE-426 (Untrusted Search Path).

Exploitation and Impact

The Insight Agent searches for local dependencies in several locations. Before v1.4.68, these locations included directories in the system PATH variable. As this variable can include directories unknown to the Agent, an attacker with local admin access could place a (potentially malicious) DLL in a directory in that path, causing the Agent to load that library.

This vulnerability has high potential impact, including causing the Agent to run arbitrary code, accessing local Agent data, and changing Agent configuration. However, exploitation requires local administrative access to a Windows machine running Insight Agent, and a successful exploitation impacts the Agent on that individual machine only. Additionally, it should be noted that a malicious administrative user is already able to cause a wide variety of damage, such as exfiltrating data and running arbitrary code. Due to the local access and administrative privilege requirements, this is rated as a medium severity vulnerability (CVSS score 6.3).

Credit

This vulnerability was discovered by an external party and reported to Rapid7.

Am I affected?

All versions of Insight Agent on Windows systems up to version 1.4.67 are vulnerable.

InsightVM customers can verify that all Insight Agents deployed on Windows systems are patched through the scan coverage for CVE-2017-5252 added to InsightVM today.

Remediation

Insight Agent on Windows systems will automatically update to the latest available version, so the majority of deployments will not require any user action.

If your Agents on Windows are pinned to a particular past version, please reach out to Rapid7 support to discuss moving that pinned version to the current one.

Additional action required depending on Windows version

If you have Insight Agents deployed on Windows 7, Windows 2008, Windows 2008 R2, Windows Vista, you need to ensure that KB2533623 has been applied. This is automatic for Windows systems more recent than those listed here. KB2533623 allows setting default DLL directories, and is required for Insight Agent v1.4.68 to be able to change the default search path, and thus to patch CVE-2017-5252 on the above systems. If you do not have KB2533623 installed when the v1.4.68 update is received, a warning will be shown and logged, but the Agent will be able to continue running on that system. If you apply KB2533623 thereafter, the v.1.4.68 patch will become effective.

If you have Insight Agents deployed to Windows XP and Windows 2003 systems, please consider upgrading to a newer operating system. KB2533623 cannot be applied to these legacy systems, and thus the fix for CVE-2017-5252 in Insight Agent v1.4.68 will not be effective. If an OS upgrade is not feasible, we recommend you audit the access controls on such systems with an aim to minimize the number of users with administrative access.

The following newer Windows versions have KB2533623 built in already and users do not need to take further action: Windows 8, Windows 10, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.

Disclosure timeline

  • Aug 2017: Vulnerability discovered
  • Wed, Aug 30, 2017: Vulnerability reported to Rapid7
  • Wed, Aug 30, 2017: Vulnerability confirmed by Rapid7; CVE-2017-5252 assigned
  • Fri, Oct 06, 2017: Fix deployed in v.1.4.68 update

R7-2017-22 || Metasploit: Forced Logout via CSRF

Exploitation and Impact

Before the 4.14.1-20170828 update, the Metasploit web UI did not protect the web UI logout form with CSRF token validation. This allowed an attacker to log out valid users by getting them to hit https://Metasploit-Server-IP:3790/logout.

This attack may have been useful as a denial of service against Metasploit instances, allowing an attacker to prevent normal Metasploit usage. However, the attacker wouldn't be able to tell if their attempt worked, as they would not have direct access to the Metasploit instance. In addition, logging a user out doesn't impact background running tasks, so the impact is limited to availability of the Metasploit instance for the user tricked into clicking the logout link. Due to the required user interaction, exploitation difficulty, and limited impact, this is a low severity vulnerability (CVSS score 3.1).

Credit

Rapid7 thanks Mishra Dhiraj for reporting this vulnerability to us, and for collaborating in the investigation process.

Am I affected?

Metasploit Pro, Express, Ultimate, and Community deployments running versions before 4.14.1-20170828 are vulnerable. Metasploit Framework is not affected.

Remediation

This issue was fixed in the 4.14.1-20170828 update for Metasploit commercial editions. Users should ensure their Metasploit Pro, Express, Ultimate, and Community instances are updated.

Disclosure timeline

  • Sun, Aug 13, 2017: Vulnerability reported to Rapid7
  • Mon, Aug 21, 2017: Vulnerability confirmed by Rapid7
  • Wed, Aug 30, 2017: Fix made available in 4.14.1-20170828

R7-2017-26 || Logentries: Server Side Template Injection

Exploitation and Impact

By injecting an Angular.js template expression in a logline, it was possible to coerce that expression to be evaluated by the rendered log view in Logentries. This is akin to a stored or persistent cross-site scripting (XSS) issue, but using Angular template expressions rather than Javascript expressions. Prior to the update on July 26, malicious actors could create and insert specially crafted log entries that, when viewed, could subvert the Logentries administrator’s browser session.

This is a medium severity vulnerability (CVSS score 4.3), owing largely to the fact that user interaction is required (the act of viewing a log), and that the attacker is then limited to compromising the confidentiality of the affected user’s current browser session.

Credit

Rapid7 thanks Vini Macedo for reporting this vulnerability to us, and for collaborating in the investigation process.

Am I affected?

Users of Logentries prior to July 26, 2017 were potentially exposed to this issue.

Remediation

Since the fix is localized entirely in the Rapid7-hosted Logentries log view, all customers were effectively patched simultaneously on July 26, 2017.

Disclosure timeline

  • Mon, Jul 24, 2017: Reported to Rapid7 by Vini Macedo
  • Mon, Jul 24, 2017: Vulnerability confirmed by Rapid7
  • Tue, Jul 26, 2017: Fix deployed

CVE-2017-5248 || AppSpider Pro: Unauthenticated Reports Retrieval

Exploitation and Impact

Before v6.14.077, the results from an AppSpider Pro scan was accessible for a brief period at a guessable location. This was due to a combination of a race condition and a lack of sufficient controls on temporary files. For approximately 30 seconds, the generated report from a completed scan was available at a URL generated with the UTC timestamp (with one minute fidelity) of the start of the report. An attacker could rapidly bruteforce all likely locations of this report in a short period of time, and then can download the report. As a result, the attacker could learn confidential information about a site’s vulnerability profile.

This is a medium severity vulnerability (CVSS score 4.8), since the user interaction requirement (to kick off a scan) requires that the attacker use bruteforce guessing with every exploit attempt, while the ultimate impact of successful exploitation is a loss of confidentiality of a single affected report.

Credit

Rapid7 thanks Tad Whiteknight for reporting this vulnerability to us, and for collaborating in the investigation process.

Am I affected?

AppSpider Pro installations running versions older than v6.14.077 are potentially vulnerable. However, AppSpider Pro is typically hosted on private, local networks, and should not be exposed directly to the internet; therefore, attackers must also be able to associate to the same network in order to execute this attack. Furthermore, an unauthenticated attacker has no mechanism to launch an AppSpider Pro scan, and must wait until an authorized user does so.

Remediation

Users of AppSpider Pro must update to v6.14.077 or later to resolve this issue.

Disclosure timeline

  • Wed, May 24, 2017: Vulnerability reported by Tad Whiteknight
  • Thu, Aug 03, 2017: CVE-2017-5248 reserved
  • Mon, Aug 14, 2017: Fix released in v6.14.077