CVE-2019-19620 in Red Cloak Windows Agent
Summary
by MITRE
In SecureWorks Red Cloak Windows Agent before 2.0.7.9, a local user can bypass the generation of telemetry alerts by removing NT AUTHORITY\SYSTEM permissions from a malicious file.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/07/2024
The vulnerability identified as CVE-2019-19620 affects SecureWorks Red Cloak Windows Agent versions prior to 2.0.7.9, representing a significant security flaw that undermines the integrity of endpoint monitoring capabilities. This issue stems from improper permission handling within the agent's telemetry generation mechanisms, creating a pathway for local attackers to evade detection systems that rely on file-based monitoring for threat identification.
The technical flaw manifests when a local user with access to the system can manipulate the NT AUTHORITY\SYSTEM permissions associated with specific files that the agent monitors for telemetry purposes. This permission manipulation effectively disables the agent's ability to generate alerts for malicious activities occurring within those files, thereby creating a blind spot in the security monitoring infrastructure. The vulnerability operates at the file system level, exploiting the agent's reliance on Windows permission structures to determine alert generation thresholds and monitoring scope.
From an operational perspective, this vulnerability presents a critical risk to organizations relying on SecureWorks Red Cloak for endpoint protection, as it allows adversaries with local access to essentially disable security monitoring for specific files or directories. The impact extends beyond simple evasion, potentially enabling persistent threats to operate undetected while maintaining their foothold within the network. This represents a direct violation of the principle of least privilege and undermines the fundamental assumption that all monitored activities should be subject to alert generation.
The vulnerability aligns with CWE-276, which addresses improper file permissions, and demonstrates how insufficient access control mechanisms can create security bypass opportunities. From an ATT&CK framework perspective, this flaw corresponds to techniques involving privilege escalation and defense evasion, specifically targeting the T1059.001 (Command and Scripting Interpreter) and T1070.004 (File Deletion) tactics where attackers might manipulate file permissions to avoid detection. Organizations may find this vulnerability particularly concerning in environments where local user access is not strictly controlled, as it provides a straightforward method for adversaries to circumvent security controls.
Mitigation strategies should focus on immediate patching of the SecureWorks Red Cloak agent to version 2.0.7.9 or later, which addresses the permission handling flaw. Additionally, organizations should implement comprehensive monitoring of file permission changes, particularly around critical security files, and establish strict access controls to limit local user privileges. Network segmentation and privileged access management solutions should be deployed to minimize the potential impact of local user compromise. Regular security assessments should verify that permission settings remain intact and that telemetry generation continues to function as expected across all monitored files and directories.