CVE-2024-54131 (GCVE-0-2024-54131)
Vulnerability from cvelistv5
Published
2024-12-03 20:26
Modified
2024-12-03 21:59
Severity ?
7.3 (High) - CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
CWE
  • CWE-276 - Incorrect Default Permissions
  • CWE-456 - Missing Initialization of a Variable
Summary
The Kolide Agent (aka: Launcher) is the lightweight agent designed to work with Kolide's service. An implementation bug in the Kolide Agent (known as `launcher`) allows for local privilege escalation to the SYSTEM user on Windows 10 and 11. The bug was introduced in version 1.5.3 when launcher started storing upgraded binaries in the ProgramData directory. This move to the new directory meant the launcher root directory inherited default permissions that are not as strict as the previous location. These incorrect default permissions in conjunction with an omitted SystemDrive environmental variable (when launcher starts osqueryd), allows a malicious actor with access to the local Windows device to successfully place an arbitrary DLL into the osqueryd process's search path. Under some circumstances, this DLL will be executed when osqueryd performs a WMI query. This combination of events could then allow the attacker to escalate their privileges to SYSTEM. Impacted versions include versions >= 1.5.3 and the fix has been released in 1.12.3.
References
Impacted products
Vendor Product Version
kolide launcher Version: >= 1.5.3, < 1.12.3
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:kolide:launcher:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "launcher",
            "vendor": "kolide",
            "versions": [
              {
                "lessThan": "1.12.3",
                "status": "affected",
                "version": "1.5.3",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-54131",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-12-03T21:59:00.438884Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-12-03T21:59:03.677Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "launcher",
          "vendor": "kolide",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.5.3, \u003c 1.12.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Kolide Agent (aka: Launcher) is the lightweight agent designed to work with Kolide\u0027s service. An implementation bug in the Kolide Agent (known as `launcher`) allows for local privilege escalation to the SYSTEM user on Windows 10 and 11. The bug was introduced in version 1.5.3 when launcher started storing upgraded binaries in the ProgramData directory. This move to the new directory meant the launcher root directory inherited default permissions that are not as strict as the previous location. These incorrect default permissions in conjunction with an omitted SystemDrive environmental variable (when launcher starts osqueryd), allows a malicious actor with access to the local Windows device to successfully place an arbitrary DLL into the osqueryd process\u0027s search path. Under some circumstances, this DLL will be executed when osqueryd performs a WMI query. This combination of events could then allow the attacker to escalate their privileges to SYSTEM. Impacted versions include versions \u003e= 1.5.3 and the fix has been released in 1.12.3."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "LOCAL",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-276",
              "description": "CWE-276: Incorrect Default Permissions",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-456",
              "description": "CWE-456: Missing Initialization of a Variable",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-03T20:26:00.413Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/kolide/launcher/security/advisories/GHSA-66q9-2rvx-qfj5",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/kolide/launcher/security/advisories/GHSA-66q9-2rvx-qfj5"
        },
        {
          "name": "https://github.com/kolide/launcher/pull/1510",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/kolide/launcher/pull/1510"
        }
      ],
      "source": {
        "advisory": "GHSA-66q9-2rvx-qfj5",
        "discovery": "UNKNOWN"
      },
      "title": "Kolide Agent Privilege Escalation (Windows, Versions \u003e= 1.5.3, \u003c 1.12.3)"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-54131",
    "datePublished": "2024-12-03T20:26:00.413Z",
    "dateReserved": "2024-11-29T18:02:16.754Z",
    "dateUpdated": "2024-12-03T21:59:03.677Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-54131\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-12-03T21:15:08.127\",\"lastModified\":\"2024-12-03T21:15:08.127\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The Kolide Agent (aka: Launcher) is the lightweight agent designed to work with Kolide\u0027s service. An implementation bug in the Kolide Agent (known as `launcher`) allows for local privilege escalation to the SYSTEM user on Windows 10 and 11. The bug was introduced in version 1.5.3 when launcher started storing upgraded binaries in the ProgramData directory. This move to the new directory meant the launcher root directory inherited default permissions that are not as strict as the previous location. These incorrect default permissions in conjunction with an omitted SystemDrive environmental variable (when launcher starts osqueryd), allows a malicious actor with access to the local Windows device to successfully place an arbitrary DLL into the osqueryd process\u0027s search path. Under some circumstances, this DLL will be executed when osqueryd performs a WMI query. This combination of events could then allow the attacker to escalate their privileges to SYSTEM. Impacted versions include versions \u003e= 1.5.3 and the fix has been released in 1.12.3.\"},{\"lang\":\"es\",\"value\":\"El agente Kolide (tambi\u00e9n conocido como Launcher) es el agente liviano dise\u00f1ado para funcionar con el servicio de Kolide. Un error de implementaci\u00f3n en el agente Kolide (conocido como `launcher`) permite la escalada de privilegios locales al usuario SYSTEM en Windows 10 y 11. El error se introdujo en la versi\u00f3n 1.5.3 cuando el launcher comenz\u00f3 a almacenar binarios actualizados en el directorio ProgramData. Este movimiento al nuevo directorio signific\u00f3 que el directorio root del launcher hered\u00f3 permisos predeterminados que no son tan estrictos como la ubicaci\u00f3n anterior. Estos permisos predeterminados incorrectos junto con una variable de entorno SystemDrive omitida (cuando el launcher inicia osqueryd), permiten que un actor malintencionado con acceso al dispositivo local de Windows coloque con \u00e9xito una DLL arbitraria en la ruta de b\u00fasqueda del proceso osqueryd. En algunas circunstancias, esta DLL se ejecutar\u00e1 cuando osqueryd realice una consulta WMI. Esta combinaci\u00f3n de eventos podr\u00eda permitir al atacante escalar sus privilegios a SYSTEM. Las versiones afectadas incluyen versiones \u0026gt;= 1.5.3 y la soluci\u00f3n se lanz\u00f3 en 1.12.3.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":7.3,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"PRESENT\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"LOW\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-276\"},{\"lang\":\"en\",\"value\":\"CWE-456\"}]}],\"references\":[{\"url\":\"https://github.com/kolide/launcher/pull/1510\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/kolide/launcher/security/advisories/GHSA-66q9-2rvx-qfj5\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-54131\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-12-03T21:59:00.438884Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:kolide:launcher:*:*:*:*:*:*:*:*\"], \"vendor\": \"kolide\", \"product\": \"launcher\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.5.3\", \"lessThan\": \"1.12.3\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-12-03T21:58:50.885Z\"}}], \"cna\": {\"title\": \"Kolide Agent Privilege Escalation (Windows, Versions \u003e= 1.5.3, \u003c 1.12.3)\", \"source\": {\"advisory\": \"GHSA-66q9-2rvx-qfj5\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 7.3, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"LOW\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"kolide\", \"product\": \"launcher\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 1.5.3, \u003c 1.12.3\"}]}], \"references\": [{\"url\": \"https://github.com/kolide/launcher/security/advisories/GHSA-66q9-2rvx-qfj5\", \"name\": \"https://github.com/kolide/launcher/security/advisories/GHSA-66q9-2rvx-qfj5\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/kolide/launcher/pull/1510\", \"name\": \"https://github.com/kolide/launcher/pull/1510\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"The Kolide Agent (aka: Launcher) is the lightweight agent designed to work with Kolide\u0027s service. An implementation bug in the Kolide Agent (known as `launcher`) allows for local privilege escalation to the SYSTEM user on Windows 10 and 11. The bug was introduced in version 1.5.3 when launcher started storing upgraded binaries in the ProgramData directory. This move to the new directory meant the launcher root directory inherited default permissions that are not as strict as the previous location. These incorrect default permissions in conjunction with an omitted SystemDrive environmental variable (when launcher starts osqueryd), allows a malicious actor with access to the local Windows device to successfully place an arbitrary DLL into the osqueryd process\u0027s search path. Under some circumstances, this DLL will be executed when osqueryd performs a WMI query. This combination of events could then allow the attacker to escalate their privileges to SYSTEM. Impacted versions include versions \u003e= 1.5.3 and the fix has been released in 1.12.3.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-276\", \"description\": \"CWE-276: Incorrect Default Permissions\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-456\", \"description\": \"CWE-456: Missing Initialization of a Variable\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-12-03T20:26:00.413Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-54131\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-12-03T21:59:03.677Z\", \"dateReserved\": \"2024-11-29T18:02:16.754Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-12-03T20:26:00.413Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.