Headline
CVE-2022-29550: Qualys Security Updates: Cloud Agent for Linux | Qualys Security Blog
** DISPUTED ** An issue was discovered in Qualys Cloud Agent 4.8.0-49. It writes “ps auxwwe” output to the /var/log/qualys/qualys-cloud-agent-scan.log file. This may, for example, unexpectedly write credentials (from environment variables) to disk in cleartext. NOTE: there are no common circumstances in which qualys-cloud-agent-scan.log can be read by a user other than root; however, the file contents could be exposed through site-specific operational practices. The vendor does NOT characterize this as a vulnerability because the ps data collection is intentional, and would only capture credentials on a machine that was already affected by the CWE-214 weakness.
The security and protection of our customers is of the utmost importance to Qualys, as is transparency whenever issues arise. A customer responsibly disclosed two scenarios related to the Qualys Cloud Agent:
- For the first scenario, we added supplementary safeguards for signatures running on Linux systems
- For the second scenario, we dispute the finding; however we believe absolute transparency is key, and so we have listed the issue here
Please note below that the first scenario requires that a malicious actor is already present on the computer running the Qualys Cloud Agent, and that the agent is running with root privileges.
It is important to note that there has been no indication of an incident or breach of confidentiality, integrity, or availability of the:
- Qualys Platform (including the Qualys Cloud Agent and Scanners)
- Qualys Codebase
- Qualys Signature Set
- Qualys Customer Data
Qualys engineering and product teams have implemented additional safeguards, and there is no action required by Qualys customers at this time. In addition, we have updated our documentation to help guide customers in selecting the appropriate privilege and logging levels for the Qualys Cloud Agent.
The specific details of the issues addressed are below:
Qualys Cloud Agent for Linux: Possible Local Privilege Escalation
Advisory ID: Q-PSA-2022-01
CVE ID: CVE-2022-29549
Published: 2022-08-15
Last Update: 2022-08-15
CWE: CWE-284
Risk Factor
NVD Risk Rating
Qualys Risk Rating
CVSSv3.1 Score
7.3 / High
6.7 / Medium
CVSSv3.1 Vector (Base)
AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
Description
Qualys Cloud Agent for Linux with signature manifest versions prior to 2.5.548.2 executes programs at various full pathnames without first making ownership and permission checks. Privilege escalation is possible on a system where a malicious actor with local write access to one of the vulnerable pathnames controlled by a non-root user installs arbitrary code, and the Qualys Cloud Agent is run as root. In such situations, an attacker could use the Qualys Cloud Agent to run arbitrary code as the root user.
Solution
No action is required by customers. Qualys Cloud Agent manifests with manifest version 2.5.548.2 have been automatically updated across all regions effective immediately.
Affected Products
Product
Vulnerability Management
Policy Compliance
Linux Agent
✓
✓
Mac Agent
✓
✓
Solaris Agent
✓
✓
CoreOS
No
No
FreeBSD
✓
✓
Traditional Scanner (ML)
✓
✓
Severity Considerations
Qualys assesses the attack complexity for this vulnerability as High, as it requires local system access by an attacker and the ability to write malicious files to user system paths. This lowers the overall severity score from High to Medium.
References
Not applicable.
Acknowledgments
Unqork Security Team (Justin Borland, Daniel Wood, David Heise, Bryan Li)
Qualys Cloud Agent for Linux: Possible Information Disclosure [DISPUTED]
Advisory ID: Q-PSA-2022-02
CVE ID: CVE-2022-29550
Published: 2022-08-15
Last Update: 2022-08-15
CWE: CWE-312, CWE-200
Risk Factor
NVD Risk Rating
Qualys Risk Rating
CVSSv3.1 Score
5.5, Medium
Unchanged
CVSSv3.1 Vector
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Unchanged
Description
Qualys Cloud Agent for Linux writes the output of the ps auxwwe command to the /var/log/qualys/qualys-cloud-agent-scan.log file when the logging level is configured to trace. While customers often require this level of logging for troubleshooting, customer credentials or other secrets could be written to the Qualys logs from environment variables, if set by the customer.
Dispute Rationale
Qualys disputes the validity of this vulnerability for the following reasons:
- Qualys logs are stored locally on the customer device and the logs are only accessible by the Qualys Cloud Agent user OR root user on that device
- Qualys customers have numerous options for setting lower logging levels for the Qualys Cloud Agent that would not collect the output of agent commands
- Using cleartext credentials in environmental variables is not aligned with security best practices and should not be done (Reference https://cwe.mitre.org/data/definitions/256.html and https://cwe.mitre.org/data/definitions/312.html)
Solution
Qualys Cloud Agent for Linux default logging level is set to informational. At this logging level, the output from the ps auxwwe is not written to the qualys-cloud-agent-scan.log. Qualys documentation has been updated to support customer decision-making on appropriate logging levels and related security considerations.
Affected Products
Product
Vulnerability Management
Policy Compliance
Linux Agent
✓
✓
Mac Agent
✓
✓
Solaris Agent
✓
✓
CoreOS
No
No
FreeBSD
✓
✓
Severity Considerations
Not applicable.
References
Acknowledgments
Unqork Security Team (Justin Borland, Daniel Wood, David Heise, Bryan Li)
FAQs****What action must customers take to fix CVE-2022-29549?
No action is required by Qualys customers. Qualys released signature updates with manifest version 2.5.548.2 to address this CVE and has rolled the updates out across the Qualys Cloud Platform.
To quickly discover if there are any agents using older manifest versions, Qualys has released QID 376807 on August 15, 2022, in Manifest version LX_MANIFEST-2.5.555.4-3 for Qualys Cloud Agent for Linux only.
Customers may use QQL vulnerabilities.vulnerability.qid:376807 in Qualys Cloud Agent, Qualys Global AssetView, Qualys VMDR, or Qualys CyberSecurity Asset Management to identify assets using older manifest versions.
What action must customers take to fix CVE-2022-29550?
The default logging level for the Qualys Cloud Agent is set to information. At this level, the output of commands is not written to the Qualys log. If customers need to troubleshoot, they must change the logging level to trace in the configuration profile. We log the multi-pass commands in verbose mode, and non-multi-pass commands are logged only in trace mode.
Additional details were added to our documentation to help guide customers in their decision to enable either Verbose level logging or Trace level logging.
How would a customer determine if CVE-2022-29549 was exploited on an impacted device?
As a pre-requisite for CVE-2022-29549, an adversary would need to have already compromised the local system running the Qualys Cloud Agent. Common signs of a local account compromise include abnormal account activities, disabled AV and firewall rules, local logging turned off, and malicious files written to disk. File integrity monitoring logs may also provide indications that an attacker replaced key system files. Customers could also review trace level logging messages from the Qualys Cloud Agent to list files executed by the agent, and then correlate those logs to recently modified files on the system. The system files need to be examined using either antivirus software or manual analysis to determine if the files were malicious. Binary hash comparison and file monitoring are separate technologies and different product offerings from Qualys: Qualys File Integrity Monitoring (FIM) and Qualys Multi-Vector EDR.
How does Qualys test the security of Qualys Cloud Agent?
Qualys product security teams perform continuous static and dynamic testing of new code releases. Senior application security engineers also perform manual code reviews. Additionally, Qualys performs periodic third-party security assessments of the complete Qualys Cloud Platform including the Qualys Cloud Agent. Lessons learned were identified as part of CVE-2022-29549 and new preventative and detective controls were added to build processes, along with updates to our developer training and development standards.
**Is there an updated version of Qualys Cloud Agent? Why? **
While a new agent is not required to address CVE-2022-29549, we updated Qualys Cloud Agent with an enhanced defense-in-depth mechanism for our customers to use if they choose. The new version offers three modes for running Vulnerability Management (VM) signature checks with each mode corresponding to a different privilege profile explained in our updated documentation.
New versions of the Qualys Cloud Agents for Linux were released in August 2022.
OS
Latest Version
Linux Intel
5.0
Mac Intel
3.17
AIX
4.17
MAC M1
3.26
Linux ARM
4.18
Linux PPC
3.21
For the new Qualys Cloud Agent, what modes and privileges does it offer over the previous version?
The new version provides different modes allowing customers to select from various privileges for running a VM scan.
The different modes available are:
Agent User Mode: The Qualys Cloud Agent runs VM scans with the same privileges configured by the customer to run Qualys Cloud Agent
Safe Mode: The Qualys Cloud Agent runs only the VM scan with lower privileges and would not run any command/binary with elevated privileges
Dynamically Privilege Elevation Mode: The Qualys Cloud Agent runs the VM scan with lower privileges by default and will dynamically elevate the privileges to root access for only those commands that failed with permission issues with lower privileges
The documentation for different privileges for Qualys Cloud Agent users has been updated on Qualys Linux Agent Guide.
Customers needing additional information should contact their Technical Account Manager or email Qualys product security at [email protected].
Qualys takes the security and protection of its products seriously. If you believe you have identified a vulnerability in one of our products, please let us know at [email protected].
Related news
The Unqork Security team discovered multiple security vulnerabilities in the Qualys Cloud Agent including arbitrary code execution.