CVE-2020-11081 - OpenCVE

osquery before version 4.4.0 enables a privilege escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables local escalation. This is fixed in version 4.4.0.

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

Access Vector Local

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:L/AC:M/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Linuxfoundation	Osquery

Configuration 1 [-]

cpe:2.3:a:linuxfoundation:osquery:*:*:*:*:*:*:*:*

References

Link	Resource
https://github.com/osquery/osquery/commit/4d4957f12a6aa0becc9d01d9f97061e1e3d809c5	Patch Third Party Advisory
https://github.com/osquery/osquery/issues/6426	Exploit Issue Tracking Third Party Advisory
https://github.com/osquery/osquery/pull/6433	Patch Third Party Advisory
https://github.com/osquery/osquery/releases/tag/4.4.0	Release Notes Third Party Advisory
https://github.com/osquery/osquery/security/advisories/GHSA-2xwp-8fv7-c5pm	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: GitHub_M

Published: 2020-07-10T18:45:16

Updated: 2020-09-17T16:52:34

Reserved: 2020-03-30T00:00:00

Link: CVE-2020-11081

JSON object: View

NVD Information

Status : Analyzed

Published: 2020-07-10T19:15:11.553

Modified: 2023-01-20T20:32:50.900

Link: CVE-2020-11081

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "osquery", "vendor": "osquery", "versions": [{"status": "affected", "version": "< 4.4.0"}]}], "descriptions": [{"lang": "en", "value": "osquery before version 4.4.0 enables a privilege escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables local escalation. This is fixed in version 4.4.0."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-114", "description": "CWE-114: Process Control", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-09-17T16:52:34", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/osquery/osquery/security/advisories/GHSA-2xwp-8fv7-c5pm"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/osquery/osquery/issues/6426"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/osquery/osquery/pull/6433"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/osquery/osquery/commit/4d4957f12a6aa0becc9d01d9f97061e1e3d809c5"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/osquery/osquery/releases/tag/4.4.0"}], "source": {"advisory": "GHSA-2xwp-8fv7-c5pm", "discovery": "UNKNOWN"}, "title": "osquery susceptible to DLL search order hijacking of zlib1.dll", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2020-11081", "STATE": "PUBLIC", "TITLE": "osquery susceptible to DLL search order hijacking of zlib1.dll"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "osquery", "version": {"version_data": [{"version_value": "< 4.4.0"}]}}]}, "vendor_name": "osquery"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "osquery before version 4.4.0 enables a privilege escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables local escalation. This is fixed in version 4.4.0."}]}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-114: Process Control"}]}]}, "references": {"reference_data": [{"name": "https://github.com/osquery/osquery/security/advisories/GHSA-2xwp-8fv7-c5pm", "refsource": "CONFIRM", "url": "https://github.com/osquery/osquery/security/advisories/GHSA-2xwp-8fv7-c5pm"}, {"name": "https://github.com/osquery/osquery/issues/6426", "refsource": "MISC", "url": "https://github.com/osquery/osquery/issues/6426"}, {"name": "https://github.com/osquery/osquery/pull/6433", "refsource": "MISC", "url": "https://github.com/osquery/osquery/pull/6433"}, {"name": "https://github.com/osquery/osquery/commit/4d4957f12a6aa0becc9d01d9f97061e1e3d809c5", "refsource": "MISC", "url": "https://github.com/osquery/osquery/commit/4d4957f12a6aa0becc9d01d9f97061e1e3d809c5"}, {"name": "https://github.com/osquery/osquery/releases/tag/4.4.0", "refsource": "MISC", "url": "https://github.com/osquery/osquery/releases/tag/4.4.0"}]}, "source": {"advisory": "GHSA-2xwp-8fv7-c5pm", "discovery": "UNKNOWN"}}}}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2020-11081", "datePublished": "2020-07-10T18:45:16", "dateReserved": "2020-03-30T00:00:00", "dateUpdated": "2020-09-17T16:52:34", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:linuxfoundation:osquery:*:*:*:*:*:*:*:*", "matchCriteriaId": "6C2CBEA8-4F6B-429A-BBBC-4E7BA6BF5414", "versionEndExcluding": "4.4.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "osquery before version 4.4.0 enables a privilege escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables local escalation. This is fixed in version 4.4.0."}, {"lang": "es", "value": "osquery versiones anteriores a 4.4.0, habilita una vulnerabilidad de escalada de privilegios. Si un sistema Windows est\u00e1 configurado con una PATH que contiene un directorio escribible por parte del usuario, entonces un usuario local puede escribir una biblioteca DLL zlib1.dll, que osquery intentar\u00e1 cargar. Ya que osquery se ejecuta con privilegios elevados, esto permite una escalada local. Esto es corregido en la versi\u00f3n 4.4.0"}], "id": "CVE-2020-11081", "lastModified": "2023-01-20T20:32:50.900", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.4, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.4, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.5, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 0.8, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2020-07-10T19:15:11.553", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/osquery/osquery/commit/4d4957f12a6aa0becc9d01d9f97061e1e3d809c5"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://github.com/osquery/osquery/issues/6426"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/osquery/osquery/pull/6433"}, {"source": "security-advisories@github.com", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/osquery/osquery/releases/tag/4.4.0"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/osquery/osquery/security/advisories/GHSA-2xwp-8fv7-c5pm"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-114"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-426"}], "source": "nvd@nist.gov", "type": "Secondary"}]}