CVE-2024-10526: 
Velociraptor vulnerability analysis and mitigation

Rapid7 Velociraptor MSI Installer versions below 0.73.3 contain a critical security vulnerability identified as CVE-2024-10526. The vulnerability was discovered and disclosed on November 7, 2024, affecting the installation directory permissions of the Velociraptor software (NVD).

The vulnerability stems from the MSI Installer creating the installation directory with WRITE_DACL permission granted to the BUILTIN\Users group. This misconfiguration has been assigned a CVSS v4.0 base score of 8.6 (HIGH) with the vector string CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/AU:Y/R:U/V:D/RE:L/U:Red. The vulnerability is classified under CWE-552 (Files or Directories Accessible to External Parties) and CWE-732 (Incorrect Permission Assignment for Critical Resource) (NVD).

The vulnerability allows local users who are not administrators to grant themselves Full Control permission on Velociraptor's files. This access enables malicious users to modify Velociraptor's files, potentially subverting the binary and causing the Velociraptor service to execute arbitrary code with SYSTEM user privileges. Additionally, attackers could completely replace the Velociraptor binary (NVD).

The vulnerability has been fixed in Velociraptor version 0.73.3. Users are strongly advised to upgrade to this version or later to address the security issue (NVD).