Velocidex Velociraptor Off-by-One Error in EVTX Parser Leading to Process Crash
Vulnerability
A denial-of-service vulnerability has been identified in Velocidex Velociraptor versions prior to 0.76.5 on Windows and Linux. The issue arises from an off-by-one error in the 'ConsumeUnit16Array' and 'ConsumeUnit64Array' functions, which allows a local attacker to cause a process crash by providing a specially crafted .evtx file to the 'parse_evtx' VQL plugin. This vulnerability only affects users who utilize artifacts that parse EVTX files, as those artifacts will trigger the client crash, which is reported to the server.
Impact
Exploitation of this vulnerability leads to a process crash, causing a denial-of-service condition on the client.
Remediation
Users can upgrade to Velociraptor version 0.76.5 or later. For versions 0.76, upgrade to v0.76.5. Alternatively, switch to collecting raw EVTX files using bulk collection artifacts like 'Windows.Triage.Targets' or 'Windows.Search.FileFinder' and parse the files offline.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.