CVE-2024-54131

The Kolide Agent (aka: Launcher) is the lightweight agent designed to work with Kolide's service. An implementation bug in the Kolide Agent (known as `launcher`) allows for local privilege escalation to the SYSTEM user on Windows 10 and 11. The bug was introduced in version 1.5.3 when launcher started storing upgraded binaries in the ProgramData directory. This move to the new directory meant the launcher root directory inherited default permissions that are not as strict as the previous location. These incorrect default permissions in conjunction with an omitted SystemDrive environmental variable (when launcher starts osqueryd), allows a malicious actor with access to the local Windows device to successfully place an arbitrary DLL into the osqueryd process's search path. Under some circumstances, this DLL will be executed when osqueryd performs a WMI query. This combination of events could then allow the attacker to escalate their privileges to SYSTEM. Impacted versions include versions >= 1.5.3 and the fix has been released in 1.12.3.

CVSS

No CVSS.

References

Link	Resource
https://github.com/kolide/launcher/pull/1510
https://github.com/kolide/launcher/security/advisories/GHSA-66q9-2rvx-qfj5

Configurations

No configuration.

History

No history.

Information

Published : 2024-12-03 21:15

Updated : 2024-12-03 21:15

NVD link : CVE-2024-54131

Mitre link : CVE-2024-54131

CVE.ORG link : CVE-2024-54131

JSON object : View

Products Affected

No product.

CWE

CWE-276

Incorrect Default Permissions

CWE-456

Missing Initialization of a Variable

{"id": "CVE-2024-54131", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"safety": "NOT_DEFINED", "version": "4.0", "recovery": "NOT_DEFINED", "baseScore": 7.3, "automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "modifiedAttackVector": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subsequentSystemIntegrity": "NONE", "vulnerableSystemIntegrity": "HIGH", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "confidentialityRequirements": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "subsequentSystemAvailability": "NONE", "vulnerableSystemAvailability": "LOW", "subsequentSystemConfidentiality": "NONE", "vulnerableSystemConfidentiality": "HIGH", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED"}}]}, "published": "2024-12-03T21:15:08.127", "references": [{"url": "https://github.com/kolide/launcher/pull/1510", "source": "security-advisories@github.com"}, {"url": "https://github.com/kolide/launcher/security/advisories/GHSA-66q9-2rvx-qfj5", "source": "security-advisories@github.com"}], "vulnStatus": "Received", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-276"}, {"lang": "en", "value": "CWE-456"}]}], "descriptions": [{"lang": "en", "value": "The Kolide Agent (aka: Launcher) is the lightweight agent designed to work with Kolide's service. An implementation bug in the Kolide Agent (known as `launcher`) allows for local privilege escalation to the SYSTEM user on Windows 10 and 11. The bug was introduced in version 1.5.3 when launcher started storing upgraded binaries in the ProgramData directory. This move to the new directory meant the launcher root directory inherited default permissions that are not as strict as the previous location. These incorrect default permissions in conjunction with an omitted SystemDrive environmental variable (when launcher starts osqueryd), allows a malicious actor with access to the local Windows device to successfully place an arbitrary DLL into the osqueryd process's search path. Under some circumstances, this DLL will be executed when osqueryd performs a WMI query. This combination of events could then allow the attacker to escalate their privileges to SYSTEM. Impacted versions include versions >= 1.5.3 and the fix has been released in 1.12.3."}, {"lang": "es", "value": "El agente Kolide (tambi\u00e9n conocido como Launcher) es el agente liviano dise\u00f1ado para funcionar con el servicio de Kolide. Un error de implementaci\u00f3n en el agente Kolide (conocido como `launcher`) permite la escalada de privilegios locales al usuario SYSTEM en Windows 10 y 11. El error se introdujo en la versi\u00f3n 1.5.3 cuando el launcher comenz\u00f3 a almacenar binarios actualizados en el directorio ProgramData. Este movimiento al nuevo directorio signific\u00f3 que el directorio root del launcher hered\u00f3 permisos predeterminados que no son tan estrictos como la ubicaci\u00f3n anterior. Estos permisos predeterminados incorrectos junto con una variable de entorno SystemDrive omitida (cuando el launcher inicia osqueryd), permiten que un actor malintencionado con acceso al dispositivo local de Windows coloque con \u00e9xito una DLL arbitraria en la ruta de b\u00fasqueda del proceso osqueryd. En algunas circunstancias, esta DLL se ejecutar\u00e1 cuando osqueryd realice una consulta WMI. Esta combinaci\u00f3n de eventos podr\u00eda permitir al atacante escalar sus privilegios a SYSTEM. Las versiones afectadas incluyen versiones >= 1.5.3 y la soluci\u00f3n se lanz\u00f3 en 1.12.3."}], "lastModified": "2024-12-03T21:15:08.127", "sourceIdentifier": "security-advisories@github.com"}