CVE-2020-7385 – CVE-2020-7385 is a deserialization vulnerabilit... (How to Fix)

Q: What is the severity of CVE-2020-7385?

CVE-2020-7385 has a CVSS score of 8.1 (HIGH). CVE-2020-7385 is a deserialization vulnerability in Metasploit Framework's drb_remote_codeexec module that allows remote code execution on the attacker's own system when running the module against a malicious endpoint. This affects Metasploit users who run the vulnerable module, potentially compromising their workstation due to Metasploit's elevated privileges. The attack requires social engineering where a user is tricked into targeting a malicious server.

📋 TL;DR

CVE-2020-7385 is a deserialization vulnerability in Metasploit Framework's drb_remote_codeexec module that allows remote code execution on the attacker's own system when running the module against a malicious endpoint. This affects Metasploit users who run the vulnerable module, potentially compromising their workstation due to Metasploit's elevated privileges. The attack requires social engineering where a user is tricked into targeting a malicious server.

💻 Affected Systems

Products:

Metasploit Framework

Versions: Versions before the October 2020 updates (specifically before fixes in pull requests #14300 and #14335)

Operating Systems: All platforms running Metasploit Framework

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when the drb_remote_codeexec module is actively running. Metasploit is not vulnerable at rest or when using other modules.

📦 What is this software?

Metasploit by Rapid7

View all CVEs affecting Metasploit →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the Metasploit workstation with attacker gaining the same elevated privileges as Metasploit, potentially leading to lateral movement in the network.

🟠

Likely Case

Limited compromise of the Metasploit workstation if the user runs the module against a malicious endpoint, though this requires specific social engineering.

🟢

If Mitigated

No impact if the vulnerable module is not used or if Metasploit is patched to the fixed version.

🌐 Internet-Facing: LOW - Exploitation requires the Metasploit user to actively run a specific module against an attacker-controlled endpoint, not passive exposure.

🏢 Internal Only: MEDIUM - Internal users running Metasploit with the vulnerable module could be targeted through internal social engineering or misconfiguration.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The exploit is built into Metasploit itself (drb_remote_codeexec module), making weaponization trivial for attackers who can set up malicious endpoints. However, exploitation requires user interaction to run the module.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Metasploit Framework versions including the October 2020 updates (specifically after pull requests #14300 and #14335)

Vendor Advisory: https://help.rapid7.com/metasploit/release-notes/archive/2020/10/

Restart Required: No

Instructions:

1. Update Metasploit Framework to the latest version using 'msfupdate' or package manager. 2. Verify the update includes fixes from pull requests #14300 and #14335. 3. No restart needed, but ensure Metasploit is not actively running the vulnerable module during update.

🔧 Temporary Workarounds

Disable or remove drb_remote_codeexec module

linux

Prevent use of the vulnerable module by disabling or removing it from Metasploit.

mv /usr/share/metasploit-framework/modules/exploits/linux/misc/drb_remote_codeexec.rb /usr/share/metasploit-framework/modules/exploits/linux/misc/drb_remote_codeexec.rb.disabled

Run Metasploit with reduced privileges

all

Limit potential damage by running Metasploit without elevated privileges where possible.

sudo -u lowprivilegeuser msfconsole

🧯 If You Can't Patch

Avoid using the drb_remote_codeexec module entirely. Do not run it against untrusted or unknown endpoints.
Implement strict network controls to prevent Metasploit workstations from communicating with unauthorized external servers.

🔍 How to Verify

Check if Vulnerable:

Check if the drb_remote_codeexec module exists and if Metasploit version is before October 2020 updates. Run 'msfconsole' and then 'use exploit/linux/misc/drb_remote_codeexec' - if it loads, you may be vulnerable.

Check Version:

msfconsole -v

Verify Fix Applied:

Update Metasploit and verify the module is patched or removed. Check version with 'msfconsole -v' and confirm it's post-October 2020. Attempt to use the module and verify it's been mitigated.

📡 Detection & Monitoring

Log Indicators:

Log entries showing execution of drb_remote_codeexec module in Metasploit logs
Unexpected processes spawned with Metasploit privileges

Network Indicators:

Outbound connections from Metasploit workstation to unknown external IPs on port 8787 (default DRb port) or other ports

SIEM Query:

source="metasploit.log" AND "drb_remote_codeexec" OR process_name="ruby" AND parent_process="msfconsole" AND cmdline="*DRb*"

📊 Metadata

CVE ID: CVE-2020-7385

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

CWE: CWE-502

Published: April 23, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/rapid7/metasploit-framework/pull/14300 Exploit,Patch,Third Party Advisory
https://github.com/rapid7/metasploit-framework/pull/14335 Patch,Third Party Advisory
https://help.rapid7.com/metasploit/release-notes/archive/2020/10/ Release Notes,Vendor Advisory
https://github.com/rapid7/metasploit-framework/pull/14300 Exploit,Patch,Third Party Advisory
https://github.com/rapid7/metasploit-framework/pull/14335 Patch,Third Party Advisory
https://help.rapid7.com/metasploit/release-notes/archive/2020/10/ Release Notes,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-7385, you might also want to check these: