Qualys Security Updates: Cloud Agent for Windows and Mac

As part of our commitment to transparency and keeping customers and the community informed, Qualys is publicly disclosing three CVEs pertaining to the Qualys Cloud Agent for Windows and one CVE on the Qualys Cloud Agent for Mac.  

Qualys has confirmed there is no impact on the Qualys production environments (shared platforms and private platforms), codebase, customer data hosted on the Qualys Cloud Platform, Qualys Agents or Scanners. Qualys is also unaware of any active exploitations, further research and development efforts, or available exploit kits.  

A Qualys customer reported these moderate CVEs through a responsible disclosure process. Qualys’ Product Security Incident Response Team (PSIRT) has worked closely with this entity to validate and verify the vulnerabilities and provide all its customers with remediation actions. It is important to note: 

• Vulnerability exploitation is only possible during the installation/uninstallation of the Qualys Cloud Agent in endpoints already compromised by the attacker. 
• These vulnerabilities were eliminated during the normal Cloud Agent software development process for both Windows and Mac and have been available for approximately one year. 
• We have not identified any exploitation outside of the proof-of-concept developed by our customer’s Red Team that disclosed this vulnerability to us. The Qualys Threat Research Unit will continue to monitor for threat intelligence indicating active exploitation of these vulnerabilities. 

There has been no indication of an incident or breach of confidentiality, integrity, or availability of the: 

• Qualys Platform (including the Qualys Cloud Agent and Scanners) 
• Qualys Codebase 
• Qualys Signature Set 
• Qualys hosted Customer Data 
• Any other associated Qualys product (e.g., Endpoint Protection Platform) 

The remainder of this blog aims to assist customers by providing information to support their decision-making processes relating to patching these vulnerabilities. 

Acknowledgments 

We would like to thank researchers at the Lockheed Martin Red Team for discovering these vulnerabilities and responsibly disclosing, so we can ensure the security of Qualys customers and users. 

Key Data 

The specific details of the issues addressed are below: 

1. Possible Executable Hijacking of Qualys Cloud Agent for Windows prior to 4.5.3.1 

Advisory ID:  Q-PVD-2023-00 

CVE ID:  CVE-2023-28140 

QID: 378359 

Published:  2023-04-18 

CWE:  CWE-427  

Risk Factor 

	NVD Risk Rating	Qualys Risk Rating
CVSSv3.1 Score	TBD	6.7 / Medium
CVSSv3.1 Vector (Base)	TBD	CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

Description 

An Executable Hijacking condition exists in the Qualys Cloud Agent for Windows platform in versions before 4.5.3.1. Attackers may load a malicious copy of a Dependency Link Library (DLL) instead of the DLL that the application was expecting when processes are running with escalated privileges. This vulnerability is bounded only to the time of uninstallation. 

At the time of this disclosure, versions before 4.0 are classified as End of Life. 

Solution 

Customers are advised to upgrade to v4.5.3.1 or higher of Qualys Cloud Agent for Windows. If possible, customers should enable automatic updates. 

2. Possible NTFS Junction Exploitation on Qualys Cloud Agent for Windows prior to 4.8.0.31 

Advisory ID:  Q-PVD-2023-01 

CVE ID:  CVE-2023-28141 

QID: 378360 

Published:  2023-04-18 

CWE:  CWE-59 

Risk Factor 

	NVD Risk Rating	Qualys Risk Rating
CVSSv3.1 Score	TBD	6.7 / Medium
CVSSv3.1 Vector (Base)	TBD	CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:H

Description 

An NTFS Junction condition exists in the Qualys Cloud Agent for Windows platform in versions before 4.8.0.31. Attackers may write files to arbitrary locations via a local attack vector. This allows attackers to assume the privileges of the process, and they may delete or otherwise on unauthorized files, allowing for the potential modification or deletion of sensitive files limited only to that specific directory/file object. This vulnerability is bounded only to the time of uninstallation and can only be exploited locally. 

At the time of this disclosure, versions before 4.0 are classified as End of Life. 

Solution 

Customers are advised to upgrade to v4.8.0.31 or higher of Qualys Cloud Agent for Windows. If possible, customers should enable automatic upgrades. 

3. Possible Race Condition Exploitation on Qualys Cloud Agent for Windows prior to 4.5.3.1 

Advisory ID:  Q-PVD-2023-02 

CVE ID:  CVE-2023-28142 

QID: 378359 

Published:  2023-04-18 

CWE:  CWE-426 

Risk Factor 

	NVD Risk Rating	Qualys Risk Rating
CVSSv3.1 Score	TBD	6.7 / Medium
CVSSv3.1 Vector (Base)	TBD	CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

Description 

A Race Condition exists in the Qualys Cloud Agent for Windows platform in versions before 4.5.3.1. This allows attackers to escalate privileges limited on the local machine during uninstallation of the Qualys Cloud Agent for Windows. Attackers may gain SYSTEM level privileges on that asset to run arbitrary commands. 

At the time of this disclosure, versions before 4.0 are classified as End of Life. 

Solution 

Customers are advised to upgrade to v4.5.3.1 or higher of Qualys Cloud Agent for Windows. If possible, customers should enable automatic updates. 

4. Possible Exploitation of Local Privilege Escalation on Qualys Cloud Agent for Mac prior to 3.7 

Advisory ID: Q-PVD-2023-03 

CVE ID: CVE-2023-28143 

QID: 378361 

Published: 2023-04-18 

CWE: CWE-362  

Risk Factor 

	NVD Risk Rating	Qualys Risk Rating
CVSSv3.1 Score	TBD	6.7 / Medium
CVSSv3.1 Vector (Base)	TBD	CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

Description 

Qualys Cloud Agent for macOS (versions 2.5.1-75 before 3.7) installer allows a local escalation of privilege bounded only to the time of installation and only on older macOSX (macOS 10.15 and older) versions. Attackers may exploit incorrect file permissions to give them ROOT command execution privileges on the host. During the install of the PKG, a step in the process involves extracting the package and copying files to several directories. Attackers may gain writable access to files during the install of PKG when extraction of the package and copying files to several directories, enabling a local escalation of privilege. 

Solution 

Customers are advised to upgrade to v3.7 or higher of Qualys Cloud Agent for MacOS. If possible, customers should enable automatic updates. 

Frequently Asked Questions 

Are fixes available today to address these vulnerabilities? 

Yes. Because of our commitment to continuous improvement, Qualys updates and improves its products and regularly releases new versions of the Cloud Agent. The versions which eliminated the issue are available today and have been available for approximately one year. 

What version addresses all issues on Qualys Cloud Agent? 

Customers seeking to address all vulnerabilities with a single action must upgrade to the following versions across Qualys Cloud Agent for Mac and Windows. 

OS	Minimum Fixed Version
Mac	3.7 and above
Windows	4.8.0.31 and above

Please refer to Upgrading Qualys Cloud Agents for steps to upgrade agents. To make it easier for customers to track Agents that need to be upgraded , we have created the Qualys Security Updates Dashboard, which you can download and import into your subscription. You may also create a dynamic tag to track these QIDs. Tagging makes these grouped assets available for querying, reporting, prioritizing, and management throughout the Qualys Cloud Platform. 

Under what conditions is this vulnerability exploitable? 

To exploit these vulnerabilities, it is necessary for the attacker to have control of the local system that is operating the Qualys Cloud Agent.  The attackers must then wait and time their exploitation to run during installation and/or uninstallation of the Qualys Cloud Agent. Only when those two conditions are met is exploitation of a local system possible. 

What sort of exploitation has been observed today? 

Currently, Qualys is not aware of any active exploitations, further research and development efforts, or available exploit kits. These moderate vulnerabilities were discovered by our customer’s red team in a lab and are classified as a proof of concept. 

How would a customer determine if there was an exploit on an impacted device? 

Indicators of a local account breach may consist of unusual account activities, disabled antivirus and firewall rules, deactivated local logging, and the presence of malicious files on the disk. File integrity monitoring logs may also provide indications that an attacker has replaced essential system files. To ascertain if the files were malicious, antivirus software or manual analysis should be employed to examine the system files. File Integrity products like Qualys File Integrity Monitoring (FIM) could be used to detect unauthorized changes or modifications made to files and directories on a computer system. Endpoint Detection and Response products like  Qualys Multi-Vector EDR can be used to detect and respond to suspicious activity on endpoints. 

What actions is Qualys taking post disclosure to protect customers? 

Qualys is taking the following actions to ensure the safety and security of our customers: 

1. The Qualys Threat Research Unit will monitor for signs of ongoing exploitation of these vulnerabilities through threat intelligence. 

2. Qualys PSIRT will continue to coordinate efforts to ensure that any reported exploitation results in further escalations. 

3. Qualys engineering has released QIDs for each CVE so that customers can easily identify vulnerable versions of the Qualys Cloud Agent, empowering them with information to make changes. 

How does Qualys test the security of Qualys Cloud Agent? 

The Qualys Product Security teams perform continuous static and dynamic testing of new code releases. Senior application security engineers also perform manual code reviews and assess the composition of the software’s dependencies. Additionally, Qualys performs periodic third-party security assessments of the complete Qualys Cloud Platform including the Qualys Cloud Agent. Lessons learned were identified as part of these CVE IDs and new preventative and detective controls were added to build processes, along with updates to our developer training and development standards. 

How can I learn more about this and other vulnerability disclosures? 

Customers needing additional information should contact their Technical Account Manager or email Qualys Product Security at psirt@qualys.com.  

Qualys takes the security and protection of its products seriously. If you believe you have identified a vulnerability in one of our products, please let us know at bugreport@qualys.com.