CVE-2020-7384 – CVE-2020-7384 is a command injection vulnerabil... (How to Fix)

Q: What is the severity of CVE-2020-7384?

CVE-2020-7384 has a CVSS score of 7.0 (HIGH). CVE-2020-7384 is a command injection vulnerability in Rapid7's Metasploit msfvenom framework that allows attackers to execute arbitrary commands on systems processing malicious APK files. This affects users who run msfvenom with APK templates, particularly penetration testers and security researchers. The vulnerability exists in how APK files are handled during payload generation.

📋 TL;DR

CVE-2020-7384 is a command injection vulnerability in Rapid7's Metasploit msfvenom framework that allows attackers to execute arbitrary commands on systems processing malicious APK files. This affects users who run msfvenom with APK templates, particularly penetration testers and security researchers. The vulnerability exists in how APK files are handled during payload generation.

💻 Affected Systems

Products:

Rapid7 Metasploit Framework

Versions: Versions prior to 6.0.11

Operating Systems: Linux, Windows, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects msfvenom when processing APK files with templates. Standard Metasploit console usage is not affected.

📦 What is this software?

Metasploit by Rapid7

View all CVEs affecting Metasploit →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with remote code execution leading to data theft, lateral movement, or complete system takeover.

🟠

Likely Case

Local privilege escalation or arbitrary command execution in the context of the msfvenom process user.

🟢

If Mitigated

Limited impact if msfvenom runs in isolated environments with minimal privileges and no network access.

🌐 Internet-Facing: LOW - msfvenom is typically used locally or in controlled environments, not exposed to the internet.

🏢 Internal Only: MEDIUM - Internal users with access to msfvenom could exploit this, but requires specific APK processing scenarios.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires the attacker to craft a malicious APK file and have the victim process it through msfvenom. Public exploit code is available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Metasploit Framework 6.0.11 and later

Vendor Advisory: https://github.com/rapid7/metasploit-framework/pull/14288

Restart Required: No

Instructions:

1. Update Metasploit Framework to version 6.0.11 or later using 'msfupdate' or package manager. 2. Verify the update completed successfully. 3. No service restart required as msfvenom runs on-demand.

🔧 Temporary Workarounds

Avoid APK template processing

all

Do not process untrusted APK files through msfvenom with template functionality.

Run msfvenom in isolated container

linux

Execute msfvenom in Docker or similar container with limited privileges and no network access.

docker run --rm -v $(pwd):/data kalilinux/kali-rolling msfvenom [options]

🧯 If You Can't Patch

Disable or restrict access to msfvenom for untrusted users.
Implement strict file validation for APK inputs and monitor for suspicious command execution.

🔍 How to Verify

Check if Vulnerable:

Check Metasploit version with 'msfconsole -v' or 'msfvenom --version'. If version is below 6.0.11, the system is vulnerable when processing APK files.

Check Version:

msfvenom --version

Verify Fix Applied:

After updating, verify version is 6.0.11 or higher using 'msfvenom --version'. Test with known safe APK template to ensure functionality remains.

📡 Detection & Monitoring

Log Indicators:

Unusual command execution patterns from msfvenom process
APK file processing with suspicious parameters
Error logs related to APK template parsing

Network Indicators:

Outbound connections originating from msfvenom process (unexpected)

SIEM Query:

process_name='msfvenom' AND (command_line LIKE '%apk%' OR command_line CONTAINS suspicious_patterns)

📊 Metadata

CVE ID: CVE-2020-7384

CVSS v3 Score: 7.0 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-77

Published: October 29, 2020

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/160004/Rapid7-Metasploit-Framework-msfvenom-APK-Template-Command-Injection.html Exploit,Third Party Advisory,VDB Entry
http://packetstormsecurity.com/files/161200/Metasploit-Framework-6.0.11-Command-Injection.html Exploit,Third Party Advisory,VDB Entry
https://github.com/rapid7/metasploit-framework/pull/14288 Exploit,Patch,Third Party Advisory
http://packetstormsecurity.com/files/160004/Rapid7-Metasploit-Framework-msfvenom-APK-Template-Command-Injection.html Exploit,Third Party Advisory,VDB Entry
http://packetstormsecurity.com/files/161200/Metasploit-Framework-6.0.11-Command-Injection.html Exploit,Third Party Advisory,VDB Entry
https://github.com/rapid7/metasploit-framework/pull/14288 Exploit,Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-7384, you might also want to check these: