The following CVEs were reported in 2024. Please upgrade to the current release which is 0.73.3
The Velociraptor Windows MSI installer creates the installation directory with WRITE_DACL permission to the BUILTIN\Users group. This allows local users who are not administrators to grant themselves the Full Control permission on Velociraptor's files. By modifying Velociraptor's files, local users can subvert the binary and cause the Velociraptor service to execute arbitrary code as the SYSTEM user, or to replace the Velociraptor binary completely.
CWE-552 Files or Directories Accessible to External Parties CWE-552
CWE-732 Incorrect Permission Assignment for Critical Resource CWE-732
| Product | Affected |
|---|---|
| Rapid7 Velociraptor ยป MSI Installer on Windows source repo https://github.com/Velocidex/velociraptor/blob/master/docs/wix/velociraptor_amd64.xml Default status is unaffected | before 0.73.3 (unaffected from 0.73.3) |
For new installs use the updated MSI. If you do not wish to upgrade the endpoint client at this time, please arrange to run the icacls.exe command sequence described below at the earliest time.
In the Velociraptor start a hunt over all your Windows Assets, select the Windows.System.PowerShell artifact and paste the following in the Command parameter:
icacls.exe "c:\Program Files\Velociraptor" /inheritance:d /t /c
icacls.exe "c:\Program Files\Velociraptor" /remove builtin\users /t /c
We thank Jean-Baptiste Mesnard-Sense from SYNACKTIV for identifying and reporting this issue