CVE-2022-0237 An attacker can hijack the execution of the ir_agent.exe component via an unquoted argument, resulting in a privilege escalation.

This same issue can be leveraged to remotely execute a command on the machine with SYSTEM privileges by calling the runas.exe command with the -s switch. An attacker can do so by sending a maliciously crafted request to the ir_agent.exe process on a vulnerable version of Insight Agent. An attacker could leverage this vulnerability to install a malicious plugin to a vulnerable version of Insight Agent, giving them elevated rights and persistent access to the system. This vulnerability is rated critical due to the ability for an attacker to execute arbitrary commands on the system with SYSTEM privileges. This can be used to install a malicious plugin on a vulnerable Insight Agent instance, giving the attacker elevated rights on the system. An attacker could also leverage this vulnerability to install a malicious plugin on a vulnerable Insight Agent instance, giving the attacker persistent access to the system. This issue was fixed in Rapid7 Insight Agent version 3.1.3.80.

Product description

Rapid7 Insight Agent is a vulnerability management platform that aids in the detection, prevention and response to attacks against your IT infrastructure.
An attacker can use this vulnerability to remotely execute a command on the machine with SYSTEM privileges. This can be used to install a malicious plugin on a vulnerable Insight Agent instance, giving the attacker elevated rights on the system. An attacker could also leverage this vulnerability to install a malicious plugin on a vulnerable Insight Agent instance, giving the attacker persistent access to the system.

CVE-2016-10763

In this issue, the vulnerability is in the server.exe process which can be remotely exploited to run arbitrary code on a vulnerable version of Rapid7 Insight Server.
This issue can be leveraged to remotely execute a command on the machine with SYSTEM privileges by calling the runas.exe command with the -s switch. An attacker can do so by sending a maliciously crafted request to the ir_agent.exe process on a vulnerable version of Insight Agent. An attacker could leverage this vulnerability to install a malicious plugin to a vulnerable version of Insight Agent, giving them elevated rights and persistent access to the system. This vulnerability is rated critical due to the ability for an attacker to execute arbitrary commands on the system with SYSTEM privileges. This can be used to install a malicious plugin on a vulnerable Insight Agent instance, giving the attacker elevated rights on the system. An attacker could also leverage this vulnerability to install a malicious plugin on a vulnerable Insight Agent instance, giving the attacker persistent access to the system.

Microsoft Windows

Process CVE-2022-0237
This same issue can be leveraged to remotely execute a command on the machine with SYSTEM privileges by calling the runas.exe command with the -s switch. An attacker can do so by sending a maliciously crafted request to the ir_agent.exe process on a vulnerable version of Insight Agent. An attacker could leverage this vulnerability to install a malicious plugin to a vulnerable version of Insight Agent, giving them elevated rights and persistent access to the system. This vulnerability is rated critical due to the ability for an attacker to execute arbitrary commands on the system with SYSTEM privileges. This can be used to install a malicious plugin on a vulnerable Insight Agent instance, giving the attacker elevated rights on the system. An attacker could also leverage this vulnerability to install a malicious plugin on a vulnerable Insight Agent instance, giving the attacker persistent access to the system. This issue was fixed in Rapid7 Insight Agent version 3.1.3.80

Products and Applications Affected by Rapid7 Insight Agent Vulnerability

The following products are vulnerable to this vulnerability:
- Rapid7 Insight Agent versions 3.1.3.80 and earlier
- Any other software running on Windows that utilizes the Insight Agent process, including:
- Microsoft Office 365
- Microsoft Dynamics CRM
- Microsoft Exchange Server
- Microsoft Lync Server
- Skype for Business server
- RSA SecurID token distribution point
- Symantec Endpoint Protection Suite for Windows XP, Windows Vista, and Windows 2003

How to verify the vulnerability?

The vulnerability can be verified by sending a maliciously crafted request to the ir_agent.exe process on a vulnerable version of Insight Agent. An attacker could leverage this vulnerability to install a malicious plugin to a vulnerable version of Insight Agent, giving them elevated rights and persistent access to the system.

Timeline

Published on: 03/17/2022 23:15:00 UTC
Last modified on: 03/24/2022 19:21:00 UTC

References