CVE-2019-5642 in Metasploit Pro
Summary
by MITRE
Rapid7 Metasploit Pro version 4.16.0-2019081901 and prior suffers from an instance of CWE-732, wherein the unique server.key is written to the file system during installation with world-readable permissions. This can allow other users of the same system where Metasploit Pro is installed to intercept otherwise private communications to the Metasploit Pro web interface.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 02/05/2024
The vulnerability described in CVE-2019-5642 represents a critical security flaw in Rapid7 Metasploit Pro versions prior to 4.16.0-2019081901, specifically manifesting as a CWE-732 misconfiguration that exposes sensitive cryptographic materials. This issue occurs during the installation process when the server.key file is generated and stored on the file system with overly permissive world-readable permissions. The fundamental flaw lies in the improper handling of cryptographic key material during software deployment, where system administrators fail to consider the security implications of file access controls for sensitive components.
The technical exploitation of this vulnerability enables local attackers who share the same system with the Metasploit Pro installation to access the private SSL/TLS certificate key. This compromise directly violates the principle of least privilege and creates an attack vector for man-in-the-middle scenarios against the web interface communications. When the server.key file is accessible to all users on the system, any individual with basic file system access can extract the private key, potentially allowing them to impersonate the Metasploit Pro server, decrypt intercepted communications, and establish unauthorized access to the web administration interface.
The operational impact of this vulnerability extends beyond simple information disclosure, as it undermines the entire security posture of the Metasploit Pro installation. Attackers who obtain the private key can perform cryptographic attacks against the web interface, potentially leading to full administrative compromise of the tool. This risk is particularly severe in multi-user environments where system administrators may not fully understand the implications of default file permissions or where privilege escalation opportunities exist. The vulnerability also creates a persistent threat that remains active until the system is properly configured or the software is updated to address the permission misconfiguration.
Mitigation strategies for this vulnerability require immediate attention from system administrators, including the implementation of proper file access controls and regular security audits of installed software components. The recommended approach involves manually correcting the file permissions on the server.key file to restrict access to only the necessary system accounts, typically requiring chmod 600 or similar restrictive permissions. System hardening procedures should be implemented to ensure that cryptographic materials are properly protected during software installation, and automated security scanning tools should be employed to detect similar misconfigurations across the enterprise. This vulnerability aligns with ATT&CK technique T1552.001 for unsecured credentials and demonstrates the importance of proper privilege management and secure configuration practices as outlined in CIS Controls and NIST SP 800-53 security frameworks.