CVE-2024-13861
📋 TL;DR
A local privilege escalation vulnerability in Taegis Endpoint Agent on Debian-based Linux systems allows local users to execute arbitrary code with root privileges. Only Debian package installations of Taegis Endpoint Agent versions before 1.3.10 are affected. RPM-based systems (Red Hat, CentOS, etc.) are not vulnerable.
💻 Affected Systems
- Taegis Endpoint Agent
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Local attacker gains full root access to the system, enabling complete system compromise, data theft, persistence establishment, and lateral movement.
Likely Case
Malicious insider or compromised user account escalates to root privileges to install malware, steal credentials, or disable security controls.
If Mitigated
Attack limited to initial compromise scope if proper segmentation and least privilege are enforced, though root access still provides significant control.
🎯 Exploit Status
Vulnerability requires local access to the system. No public exploit code has been released as of the advisory date.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.3.10 or later
Vendor Advisory: https://www.sophos.com/en-us/security-advisories/sophos-sa-20250411-taegis-agent-lpe
Restart Required: Yes
Instructions:
1. Update Taegis Endpoint Agent to version 1.3.10 or later using your package manager. 2. For Debian/Ubuntu: sudo apt update && sudo apt upgrade taegis-endpoint-agent. 3. Restart the Taegis agent service: sudo systemctl restart taegis-endpoint-agent.
🔧 Temporary Workarounds
Switch to RPM package on supported systems
linuxIf running on a Red Hat-based system, ensure you're using the RPM package version which is not vulnerable.
sudo yum install taegis-endpoint-agent
sudo dnf install taegis-endpoint-agent
🧯 If You Can't Patch
- Restrict local user access to systems running vulnerable versions using strict access controls and monitoring.
- Implement application allowlisting to prevent execution of unauthorized binaries even if privilege escalation occurs.
🔍 How to Verify
Check if Vulnerable:
Check Taegis agent version: dpkg -l | grep taegis-endpoint-agent. If version is less than 1.3.10 and OS is Debian-based, system is vulnerable.Check Version:
dpkg -l | grep taegis-endpoint-agentVerify Fix Applied:
Verify version is 1.3.10 or higher: dpkg -l | grep taegis-endpoint-agent. Check that agent service is running: systemctl status taegis-endpoint-agent.📡 Detection & Monitoring
Log Indicators:
- Unusual privilege escalation events in system logs
- Suspicious process execution from Taegis agent directories
- Unexpected root-level activity from non-admin users
Network Indicators:
- Outbound connections from systems after local privilege escalation
- Command and control traffic from previously uncompromised systems
SIEM Query:
source="systemd-journal" AND (process_name="taegis-endpoint-agent" AND event_type="privilege_escalation") OR (user!="root" AND process_user="root" AND parent_process="taegis-endpoint-agent")