Rapid7 created an update to mitigate a privilege escalation vulnerability that exists in its Insight Agent Windows Client prior to version 18.104.22.168, a researcher said.
The vulnerability, which has a case number of CVE – 2019-5629 can be used by a local user to gain full control over an affected system.
Rapid7’s InsightIDR is a security center for incident detection and response, authentication monitoring, and endpoint visibility. InsightIDR identifies unauthorized access from external and internal threats and highlights suspicious activity so you don’t have to weed through thousands of data streams.
“With Insight IDR Rapid7 has created a very powerful, yet still easy to use Incident Detection and Response toolkit,” said Florian Bogner of Bee IT Security Consulting e.U. “During one of my latest assignments I found its Windows agent installed on my client’s systems.
“While trying to disable it so that I can stay under the radar, I discovered a privilege escalation vulnerability in its Windows service. This vulnerability could be abused by any local user to gain full control over the affected system.”
The underlying vulnerability was that the ir_agent Windows Service, which is automatically started on system boot and runs with SYSTEM privileges, tries to load the DLL C:\DLLs\python3.dll, the researcher said. This causes a local privilege escalation from authenticated user to SYSTEM.
The issue has been fixed with version 2.6.5, Bogner said.
Click here for a full vulnerability description.