The security and protection of our customers is of the utmost importance to Qualys, as is transparency whenever issues arise. A customer responsibly disclosed two scenarios related to the Qualys Cloud Agent:
Please note below that the first scenario requires that a malicious actor is already present on the computer running the Qualys Cloud Agent, and that the agent is running with root privileges.
It is important to note that there has been no indication of an incident or breach of confidentiality, integrity, or availability of the:
Qualys engineering and product teams have implemented additional safeguards, and there is no action required by Qualys customers at this time. In addition, we have updated our documentation to help guide customers in selecting the appropriate privilege and logging levels for the Qualys Cloud Agent.
The specific details of the issues addressed are below:
Advisory ID: Q-PSA-2022-01 | CVE ID: CVE-2022-29549 |
---|---|
Published: 2022-08-15 | Last Update: 2022-08-15 |
CWE: CWE-284 |
| NVD Risk Rating| Qualys Risk Rating
—|—|—
CVSSv3.1 Score| 7.3 / High | 6.7 / Medium CVSSv3.1 Vector (Base)| AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H| AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
Qualys Cloud Agent for Linux with signature manifest versions prior to 2.5.548.2 executes programs at various full pathnames without first making ownership and permission checks. Privilege escalation is possible on a system where a malicious actor with local write access to one of the vulnerable pathnames controlled by a non-root user installs arbitrary code, and the Qualys Cloud Agent is run as root. In such situations, an attacker could use the Qualys Cloud Agent to run arbitrary code as the root user.
No action is required by customers. Qualys Cloud Agent manifests with manifest version 2.5.548.2 have been automatically updated across all regions effective immediately.
Product | Vulnerability Management | Policy Compliance |
---|---|---|
Linux Agent | ✓ | ✓ |
Mac Agent | ✓ | ✓ |
Solaris Agent | ✓ | ✓ |
CoreOS | No | No |
FreeBSD | ✓ | ✓ |
Traditional Scanner (ML) | ✓ | ✓ |
Qualys assesses the attack complexity for this vulnerability as High, as it requires local system access by an attacker and the ability to write malicious files to user system paths. This lowers the overall severity score from High to Medium.
Not applicable.
Unqork Security Team (Justin Borland, Daniel Wood, David Heise, Bryan Li)
Advisory ID: Q-PSA-2022-02 | **CVE ID: ** CVE-2022-29550 |
---|---|
Published: 2022-08-15 | Last Update: 2022-08-15 CWE: CWE-312, CWE-200 |
| NVD Risk Rating| Qualys Risk Rating
—|—|—
CVSSv3.1 Score| 5.5, Medium| Unchanged CVSSv3.1 Vector| AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N | Unchanged
Qualys Cloud Agent for Linux writes the output of the _ps auxwwe _command to the /var/log/qualys/qualys-cloud-agent-scan.log file when the logging level is configured to trace. While customers often require this level of logging for troubleshooting, customer credentials or other secrets could be written to the Qualys logs from environment variables, if set by the customer.
Qualys disputes the validity of this vulnerability for the following reasons:
Qualys Cloud Agent for Linux default logging level is set to informational. At this logging level, the output from the _ps auxwwe _is not written to the qualys-cloud-agent-scan.log. Qualys documentation has been updated to support customer decision-making on appropriate logging levels and related security considerations.
Product | Vulnerability Management | Policy Compliance |
---|---|---|
Linux Agent | ✓ | ✓ |
Mac Agent | ✓ | ✓ |
Solaris Agent | ✓ | ✓ |
CoreOS | No | No |
FreeBSD | ✓ | ✓ |
Not applicable.
Click to access qualys-cloud-agent-linux-install-guide.pdf
Unqork Security Team (Justin Borland, Daniel Wood, David Heise, Bryan Li)
No action is required by Qualys customers. Qualys released signature updates with manifest version 2.5.548.2 to address this CVE and has rolled the updates out across the Qualys Cloud Platform.
To quickly discover if there are any agents using older manifest versions, Qualys has released QID 376807 on August 15, 2022, in Manifest version LX_MANIFEST-2.5.555.4-3 for Qualys Cloud Agent for Linux only.
Customers may use QQL vulnerabilities.vulnerability.qid:376807 in Qualys Cloud Agent, Qualys Global AssetView, Qualys VMDR, or Qualys CyberSecurity Asset Management to identify assets using older manifest versions.
The default logging level for the Qualys Cloud Agent is set to information. At this level, the output of commands is not written to the Qualys log. If customers need to troubleshoot, they must change the logging level to trace in the configuration profile. We log the multi-pass commands in verbose mode, and non-multi-pass commands are logged only in trace mode.
Additional details were added to our documentation to help guide customers in their decision to enable either Verbose level logging or Trace level logging.
As a pre-requisite for CVE-2022-29549, an adversary would need to have already compromised the local system running the Qualys Cloud Agent. Common signs of a local account compromise include abnormal account activities, disabled AV and firewall rules, local logging turned off, and malicious files written to disk. File integrity monitoring logs may also provide indications that an attacker replaced key system files. Customers could also review trace level logging messages from the Qualys Cloud Agent to list files executed by the agent, and then correlate those logs to recently modified files on the system. The system files need to be examined using either antivirus software or manual analysis to determine if the files were malicious. Binary hash comparison and file monitoring are separate technologies and different product offerings from Qualys: Qualys File Integrity Monitoring (FIM) and Qualys Multi-Vector EDR.
Qualys product security teams perform continuous static and dynamic testing of new code releases. Senior application security engineers also perform manual code reviews. Additionally, Qualys performs periodic third-party security assessments of the complete Qualys Cloud Platform including the Qualys Cloud Agent. Lessons learned were identified as part of CVE-2022-29549 and new preventative and detective controls were added to build processes, along with updates to our developer training and development standards.
While a new agent is not required to address CVE-2022-29549, we updated Qualys Cloud Agent with an enhanced defense-in-depth mechanism for our customers to use if they choose. The new version offers three modes for running Vulnerability Management (VM) signature checks with each mode corresponding to a different privilege profile explained in our updated documentation.
New versions of the Qualys Cloud Agents for Linux were released in August 2022.
OS | Latest Version |
---|---|
Linux Intel | 5.0 |
Mac Intel | 3.17 |
AIX | 4.17 |
MAC M1 | 3.26 |
Linux ARM | 4.18 |
Linux PPC | 3.21 |
The new version provides different modes allowing customers to select from various privileges for running a VM scan.
The different modes available are:
The documentation for different privileges for Qualys Cloud Agent users has been updated on Qualys Linux Agent Guide.
Customers needing additional information should contact their Technical Account Manager or email Qualys product security at[email protected].
Qualys takes the security and protection of its products seriously. If you believe you have identified a vulnerability in one of our products, please let us know at [email protected].