Very Low
Metasploit Pro 4.16 and earlier install the web server SSL server.key as local-user readable by default
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
Metasploit Pro 4.16 and earlier install the web server SSL server.key as local-user readable by default
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
Rapid7 Metasploit Pro version 4.16.0-2019081901 and prior suffers from an instance of CWE-732, wherein the unique server.key is written to the file system during installation with world-readable permissions. This can allow other users of the same system where Metasploit Pro is installed to intercept otherwise private communications to the Metasploit Pro web interface.
Add Assessment
Ratings
-
Attacker ValueVery Low
-
ExploitabilityVery Low
Technical Analysis
This requires authentication via a remote shell in order to be effective. If an adversary is on your Metasploit Pro machine such that they can access the key in the first place, it’s already game-over. So, having the web-server certificate key (which is by default a fake cert anyway) is unlikely to be a high risk for a Metasploit Pro user.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportCVSS V3 Severity and Metrics
General Information
Vendors
Products
References
Additional Info
Technical Analysis
Report as Emergent Threat Response
Report as Zero-day Exploit
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
