Qualys Security Updates: Cloud Agent for Linux

Qualys Product Security Team

The security and protection of our customers is of the utmost importance to Qualys, as is transparency whenever issues arise. A customer responsibly disclosed two scenarios related to the Qualys Cloud Agent:

  1. For the first scenario, we added supplementary safeguards for signatures running on Linux systems
  2. For the second scenario, we dispute the finding; however we believe absolute transparency is key, and so we have listed the issue here

Please note below that the first scenario requires that a malicious actor is already present on the computer running the Qualys Cloud Agent, and that the agent is running with root privileges.

It is important to note that there has been no indication of an incident or breach of confidentiality, integrity, or availability of the:

  • Qualys Platform (including the Qualys Cloud Agent and Scanners)
  • Qualys Codebase
  • Qualys Signature Set
  • Qualys Customer Data

Qualys engineering and product teams have implemented additional safeguards, and there is no action required by Qualys customers at this time. In addition, we have updated our documentation to help guide customers in selecting the appropriate privilege and logging levels for the Qualys Cloud Agent.

The specific details of the issues addressed are below:

Qualys Cloud Agent for Linux: Possible Local Privilege Escalation

Advisory ID:  Q-PSA-2022-01CVE ID:  CVE-2022-29549
Published:  2022-08-15Last Update:  2022-08-15
CWE:  CWE-284 

Risk Factor

NVD Risk RatingQualys Risk Rating
CVSSv3.1 Score7.3 / High  6.7 / Medium
CVSSv3.1 Vector (Base)AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:HAV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

Description

Qualys Cloud Agent for Linux with signature manifest versions prior to 2.5.548.2 executes programs at various full pathnames without first making ownership and permission checks. Privilege escalation is possible on a system where a malicious actor with local write access to one of the vulnerable pathnames controlled by a non-root user installs arbitrary code, and the Qualys Cloud Agent is run as root. In such situations, an attacker could use the Qualys Cloud Agent to run arbitrary code as the root user.

Solution

No action is required by customers. Qualys Cloud Agent manifests with manifest version 2.5.548.2 have been automatically updated across all regions effective immediately.

Affected Products

ProductVulnerability ManagementPolicy Compliance
Linux Agent
Mac Agent
Solaris Agent
CoreOSNoNo
FreeBSD
Traditional Scanner (ML)

Severity Considerations

Qualys assesses the attack complexity for this vulnerability as High, as it requires local system access by an attacker and the ability to write malicious files to user system paths. This lowers the overall severity score from High to Medium.

References

Not applicable.

Acknowledgments

Unqork Security Team (Justin Borland, Daniel Wood, David Heise, Bryan Li)

Qualys Cloud Agent for Linux: Possible Information Disclosure [DISPUTED]

Advisory ID:  Q-PSA-2022-02CVE ID:  CVE-2022-29550
Published:  2022-08-15Last Update:  2022-08-15
CWE:  CWE-312, CWE-200 

Risk Factor

NVD Risk RatingQualys Risk Rating
CVSSv3.1 Score5.5, MediumUnchanged
CVSSv3.1 VectorAV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N  Unchanged

Description

Qualys Cloud Agent for Linux writes the output of the ps auxwwe command to the /var/log/qualys/qualys-cloud-agent-scan.log file when the logging level is configured to trace. While customers often require this level of logging for troubleshooting, customer credentials or other secrets could be written to the Qualys logs from environment variables, if set by the customer. 

Dispute Rationale

Qualys disputes the validity of this vulnerability for the following reasons:

  1. Qualys logs are stored locally on the customer device and the logs are only accessible by the Qualys Cloud Agent user OR root user on that device
  2. Qualys customers have numerous options for setting lower logging levels for the Qualys Cloud Agent that would not collect the output of agent commands
  3. Using cleartext credentials in environmental variables is not aligned with security best practices and should not be done (Reference https://cwe.mitre.org/data/definitions/256.html and https://cwe.mitre.org/data/definitions/312.html)

Solution

Qualys Cloud Agent for Linux default logging level is set to informational. At this logging level, the output from the ps auxwwe is not written to the qualys-cloud-agent-scan.log. Qualys documentation has been updated to support customer decision-making on appropriate logging levels and related security considerations. 

Affected Products

ProductVulnerability ManagementPolicy Compliance
Linux Agent
Mac Agent
Solaris Agent
CoreOSNoNo
FreeBSD

Severity Considerations

Not applicable.

References

Acknowledgments

Unqork Security Team (Justin Borland, Daniel Wood, David Heise, Bryan Li)

FAQs

What action must customers take to fix CVE-2022-29549?

No action is required by Qualys customers. Qualys released signature updates with manifest version 2.5.548.2 to address this CVE and has rolled the updates out across the Qualys Cloud Platform.

To quickly discover if there are any agents using older manifest versions, Qualys has released QID 376807 on August 15, 2022, in Manifest version LX_MANIFEST-2.5.555.4-3 for Qualys Cloud Agent for Linux only.

Customers may use QQL vulnerabilities.vulnerability.qid:376807 in Qualys Cloud Agent, Qualys Global AssetView, Qualys VMDR, or Qualys CyberSecurity Asset Management to identify assets using older manifest versions.

What action must customers take to fix CVE-2022-29550?

The default logging level for the Qualys Cloud Agent is set to information. At this level, the output of commands is not written to the Qualys log. If customers need to troubleshoot, they must change the logging level to trace in the configuration profile. We log the multi-pass commands in verbose mode, and non-multi-pass commands are logged only in trace mode.

Additional details were added to our documentation to help guide customers in their decision to enable either Verbose level logging or Trace level logging.

How would a customer determine if CVE-2022-29549 was exploited on an impacted device?

As a pre-requisite for CVE-2022-29549, an adversary would need to have already compromised the local system running the Qualys Cloud Agent. Common signs of a local account compromise include abnormal account activities, disabled AV and firewall rules, local logging turned off, and malicious files written to disk. File integrity monitoring logs may also provide indications that an attacker replaced key system files. Customers could also review trace level logging messages from the Qualys Cloud Agent to list files executed by the agent, and then correlate those logs to recently modified files on the system. The system files need to be examined using either antivirus software or manual analysis to determine if the files were malicious. Binary hash comparison and file monitoring are separate technologies and different product offerings from Qualys: Qualys File Integrity Monitoring (FIM) and Qualys Multi-Vector EDR.

How does Qualys test the security of Qualys Cloud Agent?

Qualys product security teams perform continuous static and dynamic testing of new code releases. Senior application security engineers also perform manual code reviews. Additionally, Qualys performs periodic third-party security assessments of the complete Qualys Cloud Platform including the Qualys Cloud Agent. Lessons learned were identified as part of CVE-2022-29549 and new preventative and detective controls were added to build processes, along with updates to our developer training and development standards.

Is there an updated version of Qualys Cloud Agent? Why?

While a new agent is not required to address CVE-2022-29549, we updated Qualys Cloud Agent with an enhanced defense-in-depth mechanism for our customers to use if they choose. The new version offers three modes for running Vulnerability Management (VM) signature checks with each mode corresponding to a different privilege profile explained in our updated documentation.

New versions of the Qualys Cloud Agents for Linux were released in August 2022.

OSLatest Version
Linux Intel5.0
Mac Intel3.17
AIX4.17
MAC M13.26
Linux ARM4.18
Linux PPC3.21

For the new Qualys Cloud Agent, what modes and privileges does it offer over the previous version?

The new version provides different modes allowing customers to select from various privileges for running a VM scan.

The different modes available are:

  • Agent User Mode: The Qualys Cloud Agent runs VM scans with the same privileges configured by the customer to run Qualys Cloud Agent
  • Safe Mode: The Qualys Cloud Agent runs only the VM scan with lower privileges and would not run any command/binary with elevated privileges
  • Dynamically Privilege Elevation Mode: The Qualys Cloud Agent runs the VM scan with lower privileges by default and will dynamically elevate the privileges to root access for only those commands that failed with permission issues with lower privileges

The documentation for different privileges for Qualys Cloud Agent users has been updated on Qualys Linux Agent Guide.

Customers needing additional information should contact their Technical Account Manager or email Qualys product security at security@qualys.com.

Qualys takes the security and protection of its products seriously. If you believe you have identified a vulnerability in one of our products, please let us know at bugreport@qualys.com

Share your Comments

Comments

Your email address will not be published.