CVE-2022-35631: 
Velociraptor vulnerability analysis and mitigation

CVE-2022-35631 is a filesystem race condition vulnerability affecting the Velociraptor client software. The vulnerability was discovered in July 2022 by Tim Goddard from CyberCX and was disclosed to Rapid7/Velocidex on July 11, 2022. The issue affects MacOS and Linux systems running Velociraptor client versions prior to 0.6.5-2 (Rapid7 Blog).

The vulnerability stems from the Velociraptor client's use of a local buffer file to store data it cannot deliver to the server quickly enough. While the file is created with restricted permissions, the filename is predictable and stored in the client's configuration file. On MacOS and Linux systems, this predictable filename could be exploited through a symlink attack, where an attacker could replace the predictable filename with a symlink to another file, causing the Velociraptor client to overwrite the target file (Rapid7 Blog).

The vulnerability could allow an attacker to perform a symlink attack on MacOS and Linux systems, potentially causing the Velociraptor client to overwrite files it shouldn't have access to. Windows clients running in the default configuration are not affected by this issue, as the buffer file is stored in a directory with restricted permissions only writable by Administrators (Rapid7 Blog).

The vulnerability can be mitigated by either using an in-memory buffer mechanism or specifying that the buffer file should be created in a directory only writable by root. Users can set the Client.local_buffer.filename_linux to an empty string or specify a directory only writable by root. The issue has been fixed in Velociraptor version 0.6.5-2, released on July 26, 2022 (Rapid7 Blog).