CVE-2024-0622
📋 TL;DR
This CVE describes a local privilege escalation vulnerability in OpenText Operations Agent on non-Windows platforms. An authenticated local user could exploit this to gain elevated privileges, potentially root access. Affected versions are 12.15 and 12.20-12.25 when installed on Linux, Unix, or other non-Windows operating systems.
💻 Affected Systems
- OpenText Operations Agent
📦 What is this software?
Operations Agent by Microfocus
Operations Agent by Microfocus
⚠️ Risk & Real-World Impact
Worst Case
Local attacker gains root privileges, enabling complete system compromise, data theft, persistence establishment, and lateral movement within the environment.
Likely Case
Malicious insider or compromised user account escalates to root to install backdoors, steal sensitive data, or disrupt operations.
If Mitigated
Limited impact due to strong access controls, least privilege principles, and network segmentation preventing lateral movement.
🎯 Exploit Status
Requires local authenticated access. Exploit complexity is likely low based on CVSS score and privilege escalation nature.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor advisory for specific patched versions
Vendor Advisory: https://portal.microfocus.com/s/article/KM000026555?language=en_US
Restart Required: Yes
Instructions:
1. Review vendor advisory KM000026555. 2. Download and apply the appropriate patch from OpenText. 3. Restart the Operations Agent service. 4. Verify the patch was successfully applied.
🔧 Temporary Workarounds
Restrict local access
linuxLimit local user access to systems running vulnerable Operations Agent versions
Review and tighten local user permissions using sudoers, PAM, or other access control mechanisms
Implement least privilege
linuxEnsure users only have necessary permissions and cannot execute arbitrary commands
Use tools like SELinux, AppArmor, or chroot to restrict process capabilities
🧯 If You Can't Patch
- Isolate affected systems in segmented network zones to limit lateral movement potential
- Implement strict monitoring and alerting for privilege escalation attempts and unusual root activity
🔍 How to Verify
Check if Vulnerable:
Check Operations Agent version: opcagt -version or review installation logs. If version is 12.15 or between 12.20-12.25 on non-Windows OS, system is vulnerable.Check Version:
opcagt -versionVerify Fix Applied:
Verify version after patching shows a version above 12.25 or a patched 12.15 version. Check vendor advisory for exact fixed version numbers.📡 Detection & Monitoring
Log Indicators:
- Unexpected privilege escalation events
- Operations Agent process running with unexpected privileges
- Authentication logs showing local user accessing elevated functions
Network Indicators:
- Unusual outbound connections from Operations Agent systems after local user activity
SIEM Query:
source="*auth.log*" OR source="*secure*" (event_type="privilege_escalation" OR sudo OR su) AND process="*opcagt*" OR host="*operations-agent*"