The following CVEs have been noted.
Please upgrade to the current release.
The Velociraptor Windows MSI installer creates the installation directory with WRITE_DACL permission to the BUILTIN\\Users group. This allows local users who are not administrators to grant themselves the Full Control permission on Velociraptor's files. By modifying Velociraptor's files, local users can subvert the binary and cause the Velociraptor service to execute arbitrary code as the SYSTEM user, or to replace the Velociraptor binary completely.
Rapid7 Velociraptor versions prior to 0.7.0-4 suffer from a reflected cross site scripting vulnerability. This vulnerability allows attackers to inject JS into the error path, potentially leading to unauthorized execution of scripts within a user's web browser. This issue affects Velociraptor: before 0.7.0-4. Patches are also available for version 0.6.9 (0.6.9-1)
Due to insufficient validation in the PE and OLE parsers in Rapid7's Velociraptor versions earlier than 0.6.8 allows attacker to crash Velociraptor during parsing of maliciously malformed files. This issue affects Velociraptor: before 0.6.8.
Improper Privilege Management vulnerability in Rapid7 Velociraptor in the copy() function. This issue affects Velociraptor: before 0.6.7-5.
Velociraptor did not properly sanitize the client id parameter to the CreateCollection API allowing a directory traversal in where the collection task could be written. This issue affects Velociraptor: before 0.6.7-5.
Please consider subscribing to our Security Advisories RSS feed to receive timely notifications.