Velocidex Velociraptor Authorization Bypass Vulnerability in GetUserRoles gRPC API Endpoint

A vulnerability allowing authorization bypass has been identified in the GetUserRoles gRPC API endpoint of Velocidex Velociraptor, affecting versions prior to 0.76.5. This vulnerability allows any authenticated low-privilege user to access the complete Access Control List (ACL) policy, including roles and permissions, for any user across all organizations. The exploitation involves sending targeted Name and Org parameters in a network request.

Impact

Exploitation of this vulnerability allows low-privilege users to enumerate ACL policies, potentially leading to the compromise of high-privilege accounts by targeting their roles and permissions.

Remediation

Users are advised to upgrade to Velociraptor version 0.76.5 or later. For those using the 0.76 release series, version 0.76.5 is available on the Velocidex GitHub Releases page.