CVE-2020-28169 – CVE-2020-28169 is a privilege escalation vulner... (How to Fix)

Q: What is the severity of CVE-2020-28169?

CVE-2020-28169 has a CVSS score of 7.0 (HIGH). CVE-2020-28169 is a privilege escalation vulnerability in td-agent-builder plugin for Fluentd on Windows systems. Attackers can write malicious files to the bin directory, which then execute with SYSTEM privileges when the service runs. This affects Fluentd installations using td-agent-builder plugin versions before 2020-12-18 on Windows.

📋 TL;DR

CVE-2020-28169 is a privilege escalation vulnerability in td-agent-builder plugin for Fluentd on Windows systems. Attackers can write malicious files to the bin directory, which then execute with SYSTEM privileges when the service runs. This affects Fluentd installations using td-agent-builder plugin versions before 2020-12-18 on Windows.

💻 Affected Systems

Products:

Fluentd with td-agent-builder plugin

Versions: td-agent-builder plugin versions before 2020-12-18

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Windows installations due to NT AUTHORITY\SYSTEM context. Linux/macOS systems are not vulnerable.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Td Agent Builder by Td Agent Builder Project

View all CVEs affecting Td Agent Builder →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with SYSTEM privileges, allowing complete control over the Windows system, data theft, lateral movement, and persistence establishment.

🟠

Likely Case

Privilege escalation from a lower-privileged user account to SYSTEM, enabling installation of malware, credential harvesting, and further network exploitation.

🟢

If Mitigated

Limited impact if proper access controls prevent unauthorized users from writing to the bin directory or if the service runs with minimal privileges.

🌐 Internet-Facing: MEDIUM - While exploitation requires local access, internet-facing systems could be compromised through other vulnerabilities leading to this privilege escalation.

🏢 Internal Only: HIGH - Internal attackers with any level of access can escalate to SYSTEM privileges, making this particularly dangerous in multi-user environments.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires local user access to write files. Public exploit details available in Packet Storm Security reference.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: td-agent-builder plugin version from 2020-12-18

Vendor Advisory: https://github.com/fluent-plugins-nursery/td-agent-builder/pull/247

Restart Required: Yes

Instructions:

1. Update td-agent-builder plugin to version from 2020-12-18 or later. 2. Update Fluentd/td-agent to latest version. 3. Restart the Fluentd service.

🔧 Temporary Workarounds

Restrict bin directory permissions

windows

Modify Windows ACLs to prevent non-administrative users from writing to the td-agent bin directory

icacls "C:\opt\td-agent\bin" /deny Users:(OI)(CI)W

Run service with lower privileges

windows

Configure Fluentd service to run with a non-SYSTEM service account

sc config fluentdw binPath= "C:\opt\td-agent\bin\fluentd.exe" obj= "DOMAIN\ServiceAccount" password= "password"

🧯 If You Can't Patch

Implement strict access controls on the bin directory to prevent unauthorized writes
Monitor file creation/modification in the td-agent bin directory and alert on suspicious activity

🔍 How to Verify

Check if Vulnerable:

Check if td-agent-builder plugin version is older than 2020-12-18 and verify bin directory permissions allow user writes on Windows.

Check Version:

fluentd --version or check plugin manifest files

Verify Fix Applied:

Confirm td-agent-builder plugin version is from 2020-12-18 or later and bin directory has proper restrictive permissions.

📡 Detection & Monitoring

Log Indicators:

Unexpected processes running as SYSTEM from td-agent bin directory
File creation/modification events in td-agent bin directory by non-admin users

Network Indicators:

Unusual outbound connections from SYSTEM processes associated with Fluentd

SIEM Query:

Process Creation where ParentImage contains 'fluentd' and IntegrityLevel='System' and Image not in ('expected_fluentd_binaries')

📊 Metadata

CVE ID: CVE-2020-28169

CVSS v3 Score: 7.0 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-732

Published: December 24, 2020

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/160791/Fluentd-TD-agent-4.0.1-Insecure-Folder-Permission.html Exploit,Third Party Advisory,VDB Entry
https://docs.fluentd.org/installation/install-by-msi Product,Vendor Advisory
https://github.com/fluent-plugins-nursery/td-agent-builder/pull/247/commits/6f9cb6393392d62caa99907c0ebbcbab6b94a3f1 Patch,Third Party Advisory
https://github.com/fluent/fluentd/issues/3201 Exploit,Issue Tracking,Third Party Advisory
https://github.com/kenhys/td-agent-builder/commit/eec6e2dedf12f2e0c01c2bbe7b8c15b639b3b938 Patch,Third Party Advisory
https://td-agent-package-browser.herokuapp.com/4/windows Third Party Advisory
https://www.debian.org/security/2021/dsa-4949 Third Party Advisory
https://www.fluentd.org/ Vendor Advisory
http://packetstormsecurity.com/files/160791/Fluentd-TD-agent-4.0.1-Insecure-Folder-Permission.html Exploit,Third Party Advisory,VDB Entry
https://docs.fluentd.org/installation/install-by-msi Product,Vendor Advisory
https://github.com/fluent-plugins-nursery/td-agent-builder/pull/247/commits/6f9cb6393392d62caa99907c0ebbcbab6b94a3f1 Patch,Third Party Advisory
https://github.com/fluent/fluentd/issues/3201 Exploit,Issue Tracking,Third Party Advisory
https://github.com/kenhys/td-agent-builder/commit/eec6e2dedf12f2e0c01c2bbe7b8c15b639b3b938 Patch,Third Party Advisory
https://td-agent-package-browser.herokuapp.com/4/windows Third Party Advisory
https://www.debian.org/security/2021/dsa-4949 Third Party Advisory
https://www.fluentd.org/ Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-28169, you might also want to check these: