Rapid7 Nexpose Installer 6.6.39 Local Privilege Escalation

Title: Rapid7 Nexpose Installer 6.6.39 Local Privilege Escalation
Advisory ID: ZSL-2020-5587
Type: Local
Impact: Privilege Escalation
Risk: (2/5)
Release Date: 06.09.2020
Rapid7 Nexpose is a vulnerability scanner which aims to support the entire vulnerability management lifecycle, including discovery, detection, verification, risk classification, impact analysis, reporting and mitigation. It integrates with Rapid7's Metasploit for vulnerability exploitation.
Rapid7 Nexpose installer version prior to 6.6.40 uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path, allowing local privilege escalation.
Rapid7 - https://www.rapid7.com
Affected Version
Tested On
Microsoft Windows 10 Enterprise, x64-based PC
Microsoft Windows Server 2016 Standard, x64-based PC
Vendor Status
[07.08.2020] Vulnerability discovered.
[07.08.2020] Vendor contacted.
[10.08.2020] Vendor answered and started investigating the issue.
[26.08.2020] Vendor communicated that they are actively working on solving the issue.
[02.09.2020] Vendor releases version 6.6.40 to address this issue.
[03.09.2020] Vendor communicated that the patch has been released and that the CVE-2020-7382 was reserved.
[06.09.2020] Coordinated public security advisory released.
Vulnerability discovered by Angelo D'Amato - <angelo@zeroscience.mk>
[1] https://help.rapid7.com/insightvm/en-us/release-notes/index.html?pid=6.6.40
[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7382
[3] https://nvd.nist.gov/vuln/detail/CVE-2020-7382
[4] https://packetstormsecurity.com/files/159167
[5] https://www.exploit-db.com/exploits/48808
[6] https://exchange.xforce.ibmcloud.com/vulnerabilities/188245
[7] https://cxsecurity.com/issue/WLB-2020090039
[8] https://packetstormsecurity.com/files/159078
[06.09.2020] - Initial release
[19.09.2020] - Added reference [4], [5], [6], [7] and [8]
Zero Science Lab

Web: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk