Rapid7 Insight Agent Local Privilege Escalation Vulnerability on Windows

A local privilege escalation vulnerability has been identified in the Rapid7 Insight Agent, specifically in versions greater than 4.1.0.2. This vulnerability allows users to gain SYSTEM-level control on a Windows host. The issue arises because the agent service, upon startup, tries to load an OpenSSL configuration file from a non-existent directory that standard users can write to. By placing a crafted openssl.cnf file in this location, an attacker can manipulate the high-privilege service into executing arbitrary commands. This exploitation enables an unprivileged user to bypass security measures and achieve full control of the host with the agent's SYSTEM-level access.

Impact

Exploitation of this vulnerability allows for local privilege escalation, enabling an unprivileged user to gain SYSTEM-level access on the affected Windows host, potentially leading to a full compromise of the system.

Remediation

Users can update to Rapid7 Insight Agent version 4.1.0.2 or later, which addresses this vulnerability by removing the agent's attempt to load an OpenSSL configuration file from the exploitable directory. Instructions for updating the Rapid7 Insight Agent can be found in the Rapid7 documentation.