CVE-2024-0394
📋 TL;DR
This vulnerability allows authenticated attackers with low privileges to escalate to SYSTEM-level access and execute arbitrary code on affected Rapid7 Minerva Armor systems. The issue stems from OpenSSL's OPENSSLDIR parameter being set to a path accessible to low-privileged users. Organizations running Minerva Armor versions below 4.5.5 are affected.
💻 Affected Systems
- Rapid7 Minerva Armor
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with SYSTEM privileges, enabling installation of persistent malware, data exfiltration, lateral movement, and disabling of security controls.
Likely Case
Privilege escalation leading to unauthorized administrative access, data theft, and potential ransomware deployment within the affected environment.
If Mitigated
Limited impact if proper network segmentation, least privilege access, and monitoring are in place, though local privilege escalation remains possible.
🎯 Exploit Status
Requires authenticated access and knowledge of the vulnerable path configuration
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.5.5
Vendor Advisory: https://www.rapid7.com/blog/post/2024/04/03/cve-2024-0394-rapid7-minerva-armor-privilege-escalation-fixed/
Restart Required: Yes
Instructions:
1. Download Minerva Armor version 4.5.5 from Rapid7 portal. 2. Deploy the update through your management console. 3. Restart affected systems to complete installation.
🔧 Temporary Workarounds
Restrict access to OPENSSLDIR path
windowsModify permissions on the vulnerable OpenSSL directory to prevent low-privileged users from writing to it
icacls "C:\Path\To\OpenSSL\Directory" /deny Users:(OI)(CI)F
🧯 If You Can't Patch
- Implement strict least privilege access controls to limit authenticated user permissions
- Monitor for suspicious privilege escalation attempts and file writes to OpenSSL directories
🔍 How to Verify
Check if Vulnerable:
Check Minerva Armor version in management console or run 'MinervaArmor.exe --version' on endpointsCheck Version:
MinervaArmor.exe --versionVerify Fix Applied:
Confirm version shows 4.5.5 or higher in management console📡 Detection & Monitoring
Log Indicators:
- Unusual privilege escalation events
- File writes to OpenSSL configuration directories by non-admin users
- Minerva Armor service restarts
Network Indicators:
- Unusual outbound connections from Minerva Armor systems
SIEM Query:
EventID=4688 AND ProcessName LIKE '%Minerva%' AND NewProcessName LIKE '%cmd%' OR '%powershell%'