CVE-2022-0237 Overview
CVE-2022-0237 is a privilege escalation vulnerability affecting Rapid7 Insight Agent versions 3.1.2.38 and earlier. The vulnerability exists due to an unquoted argument passed to the runas.exe command used by the ir_agent.exe component. This flaw allows a local attacker to hijack the flow of execution, resulting in elevated privileges and persistent access to the affected system.
Critical Impact
Local attackers can leverage this unquoted service path vulnerability to escalate privileges and gain persistent elevated access to compromised systems running vulnerable versions of Rapid7 Insight Agent.
Affected Products
- Rapid7 Insight Agent versions 3.1.2.38 and earlier
- All platforms running vulnerable ir_agent.exe component
Discovery Timeline
- 2022-02-25 - Rapid7 releases security patch in version 3.1.3.80
- 2022-03-17 - CVE-2022-0237 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-0237
Vulnerability Analysis
This vulnerability falls under the category of Privilege Escalation through an unquoted service path (CWE-428). When the ir_agent.exe component invokes runas.exe with an unquoted path argument, Windows interprets spaces in the path as argument delimiters. This behavior allows an attacker to place a malicious executable in a location that Windows will execute before reaching the intended target.
The vulnerability requires local access to the system with low-privilege credentials. Once exploited, the attacker can achieve full confidentiality, integrity, and availability impact on the affected system. The unquoted path issue is a well-known Windows vulnerability class that has been documented under CWE-264 (Permissions, Privileges, and Access Controls) and CWE-428 (Unquoted Search Path or Element).
Root Cause
The root cause of this vulnerability is improper handling of file paths in the ir_agent.exe component. When calling runas.exe, the path argument is not enclosed in quotation marks. On Windows systems, when a service executable path contains spaces and is not properly quoted, the operating system will attempt to execute binaries at each space-delimited segment of the path before reaching the intended executable.
Attack Vector
The attack requires local access to the system where Rapid7 Insight Agent is installed. An attacker with low-privilege access can exploit this vulnerability by:
- Identifying the unquoted service path used by ir_agent.exe
- Creating a malicious executable in a directory that precedes the intended target in the unquoted path
- Waiting for the service to restart or triggering a restart condition
- The malicious executable runs with elevated SYSTEM privileges
The vulnerability is documented with a proof-of-concept script available at the GitHub Gist PoC Script, which demonstrates the exploitation methodology.
Detection Methods for CVE-2022-0237
Indicators of Compromise
- Presence of unexpected executables in directories along the Rapid7 Insight Agent installation path
- Unusual process spawning from ir_agent.exe or runas.exe
- New or modified files in C:\Program.exe, C:\Program Files\Rapid7.exe, or similar path truncation locations
- Evidence of privilege escalation attempts in Windows Security Event logs
Detection Strategies
- Monitor for creation of executables in root directories or common path truncation locations (e.g., C:\Program.exe)
- Implement file integrity monitoring on directories within the Rapid7 Insight Agent installation path
- Review Windows Event ID 4688 (Process Creation) for suspicious child processes spawned by ir_agent.exe
- Audit service configurations for unquoted service paths using tools like PowerShell or third-party scanners
Monitoring Recommendations
- Enable verbose logging for the Rapid7 Insight Agent service
- Configure SentinelOne to monitor for suspicious executable placement in common unquoted path exploitation directories
- Set up alerts for process creation events where runas.exe spawns unexpected child processes
- Regularly audit installed software versions against known vulnerable versions
How to Mitigate CVE-2022-0237
Immediate Actions Required
- Upgrade Rapid7 Insight Agent to version 3.1.3.80 or later immediately
- Audit all systems running Rapid7 Insight Agent to identify vulnerable versions
- Scan for indicators of compromise on systems running versions 3.1.2.38 or earlier
- Restrict write access to directories in the Windows PATH and common service installation paths
Patch Information
Rapid7 addressed this vulnerability in Insight Agent version 3.1.3.80, released on February 25, 2022. The fix properly quotes the path argument when invoking runas.exe, preventing path interpretation attacks. Organizations should reference the official Rapid7 InsightAgent Release Notes for complete patch details and upgrade instructions.
Workarounds
- If immediate patching is not possible, manually modify the service registration to include quoted paths
- Implement strict access controls to prevent low-privilege users from writing to directories in the service path
- Use application whitelisting to prevent execution of unauthorized binaries in sensitive directories
- Monitor and alert on any file creation events in potential path truncation locations
# Check for vulnerable Rapid7 Insight Agent versions
# Query installed version via registry
reg query "HKLM\SOFTWARE\Rapid7\Insight Agent" /v Version
# Audit service path for unquoted strings
wmic service get name,pathname | findstr /i "rapid7"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
