CVE-2023-2226

Due to insufficient validation in the PE and OLE parsers in Rapid7's Velociraptor versions earlier than 0.6.8 allows attacker to crash Velociraptor during parsing of maliciously malformed files. For this attack to succeed, the attacker needs to be able to introduce malicious files to the system at the same time that Velociraptor attempts to collect any artifacts that attempt to parse PE files, Authenticode signatures, or OLE files. After crashing, the Velociraptor service will restart and it will still be possible to collect other artifacts.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://github.com/Velocidex/velociraptor	Product

Configurations

Configuration 1 (hide)

cpe:2.3:a:rapid7:velociraptor:*:*:*:*:*:*:*:*

History

03 May 2023, 14:51

Type	Values Removed	Values Added
CPE		cpe:2.3:a:rapid7:velociraptor::::::::
First Time		Rapid7 Rapid7 velociraptor
CWE		CWE-125
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.3
References	~~(MISC) https://github.com/Velocidex/velociraptor -~~	(MISC) https://github.com/Velocidex/velociraptor - Product

21 Apr 2023, 12:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-04-21 12:15

Updated : 2023-12-10 15:01

NVD link : CVE-2023-2226

Mitre link : CVE-2023-2226

CVE.ORG link : CVE-2023-2226

JSON object : View

Products Affected

rapid7

velociraptor

CWE

CWE-125

Out-of-bounds Read

{"id": "CVE-2023-2226", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "cve@rapid7.con", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.3, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 1.8}]}, "published": "2023-04-21T12:15:07.590", "references": [{"url": "https://github.com/Velocidex/velociraptor", "tags": ["Product"], "source": "cve@rapid7.con"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-125"}]}, {"type": "Secondary", "source": "cve@rapid7.con", "description": [{"lang": "en", "value": "CWE-125"}]}], "descriptions": [{"lang": "en", "value": "Due to insufficient validation in the PE and OLE parsers in Rapid7's Velociraptor versions earlier than 0.6.8 allows attacker to crash Velociraptor during parsing of maliciously malformed files.\u00a0\n\nFor this attack to succeed, the attacker needs to be able to introduce malicious files to the system at the same time that Velociraptor attempts to collect any artifacts that attempt to parse PE files, Authenticode signatures, or OLE files. After crashing, the Velociraptor service will restart and it will still be possible to collect other artifacts.\n\n"}], "lastModified": "2023-05-03T14:51:43.173", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:rapid7:velociraptor:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D47AC76F-929D-4745-8D21-1E519BD53EF3", "versionEndExcluding": "0.6.8"}], "operator": "OR"}]}], "sourceIdentifier": "cve@rapid7.con"}