The following CVEs have been noted.
Please upgrade to the current release.
Velociraptor versions prior to 0.76.3 contain a vulnerability in the query plugin which allows access to all orgs with the user's current ACL token.
Velociraptor versions prior to 0.76.2 contain an improper input validation vulnerability in the client monitoring message handler that may lead to remote code execution on the Velociraptor server.
Velociraptor normally is only allowed to write in the datastore. However, under some situations it is possible for a rogue client to write files outside the datastore.
Velociraptor normally requires high permissions to launch dangerous artifacts. The Admin.Client.UpdateClientConfig is an artifact used to update the client's configuration. This artifact did not enforce an additional required permission allowing users with COLLECT_CLIENT permissions to collect it from endpoints and update the configuration (leading to take over).
Velociraptor normally allows agents to run arbitrary commands via the `execve()` plugin. This option can be blocked by configuring the `prevent_execve` configuration option.
The Velociraptor Windows MSI installer creates the installation directory with WRITE_DACL permission to the BUILTIN\\Users group. This allows local users who are not administrators to grant themselves the Full Control permission on Velociraptor's files. By modifying Velociraptor's files, local users can subvert the binary and cause the Velociraptor service to execute arbitrary code as the SYSTEM user, or to replace the Velociraptor binary completely.
Rapid7 Velociraptor versions prior to 0.7.0-4 suffer from a reflected cross site scripting vulnerability. This vulnerability allows attackers to inject JS into the error path, potentially leading to unauthorized execution of scripts within a user's web browser. This issue affects Velociraptor: before 0.7.0-4. Patches are also available for version 0.6.9 (0.6.9-1)
Due to insufficient validation in the PE and OLE parsers in Rapid7's Velociraptor versions earlier than 0.6.8 allows attacker to crash Velociraptor during parsing of maliciously malformed files. This issue affects Velociraptor: before 0.6.8.
Improper Privilege Management vulnerability in Rapid7 Velociraptor in the copy() function. This issue affects Velociraptor: before 0.6.7-5.
Velociraptor did not properly sanitize the client id parameter to the CreateCollection API allowing a directory traversal in where the collection task could be written. This issue affects Velociraptor: before 0.6.7-5.
Please consider subscribing to our Security Advisories RSS feed to receive timely notifications.