← Advisories

Rapid7 Nexpose Installer 6.6.39 Local Privilege Escalation

Low
Advisory ID
ZSL-2020-5587
Release Date
06 September 2020
Vendor
Rapid7 - https://www.rapid7.com
Affected Version
<=6.6.39
CVE
CVE-2020-7382
Tested On
Microsoft Windows 10 Enterprise, x64-based PC, Microsoft Windows Server 2016 Standard, x64-based PC
Summary

Rapid7 Nexpose is a vulnerability scanner which aims to support the entire vulnerability management lifecycle, including discovery, detection, verification, risk classification, impact analysis, reporting and mitigation. It integrates with Rapid7's Metasploit for vulnerability exploitation.

Description

Rapid7 Nexpose installer version prior to 6.6.40 uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path, allowing local privilege escalation.

Proof of Concept
nexpose_eop.txtTXT
Disclosure Timeline
07.08.2020Vulnerability discovered.
07.08.2020Vendor contacted.
10.08.2020Vendor answered and started investigating the issue.
26.08.2020Vendor communicated that they are actively working on solving the issue.
02.09.2020Vendor releases version 6.6.40 to address this issue.
03.09.2020Vendor communicated that the patch has been released and that the CVE-2020-7382 was reserved.
06.09.2020Coordinated public security advisory released.
Credits
Vulnerability discovered by Angelo D'Amato
References
[1]https://help.rapid7.com/insightvm/en-us/release-notes/index.html?pid=6.6.40
[2]https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7382
[3]https://nvd.nist.gov/vuln/detail/CVE-2020-7382
[4]https://packetstormsecurity.com/files/159167
[5]https://www.exploit-db.com/exploits/48808
[6]https://exchange.xforce.ibmcloud.com/vulnerabilities/188245
[7]https://cxsecurity.com/issue/WLB-2020090039
[8]https://packetstormsecurity.com/files/159078
Changelog
06.09.2020Initial release
19.09.2020Added reference [4], [5], [6], [7] and [8]