修复版本
4.16.1
CVE-2019-5642 describes an information disclosure vulnerability affecting Rapid7 Metasploit Pro versions up to 4.16.0-2019081901. This vulnerability stems from the insecure storage of the server.key file, which is written to the file system with world-readable permissions. Exploitation could allow unauthorized access to sensitive communications intended for the Metasploit Pro web interface.
The primary impact of CVE-2019-5642 is the potential for unauthorized interception of communications between the Metasploit Pro client and server. An attacker with access to the same system where Metasploit Pro is installed could read the server.key file and use it to decrypt and view sensitive data transmitted over the web interface. This could include credentials, session tokens, and other confidential information. While the CVSS score is LOW, the potential for data exposure warrants prompt remediation, especially in environments where Metasploit Pro is used to manage sensitive systems or conduct penetration testing activities.
CVE-2019-5642 was publicly disclosed on November 6, 2019. There is no indication of active exploitation campaigns targeting this vulnerability. No public proof-of-concept (PoC) code has been widely released. The vulnerability is not listed on the CISA KEV catalog.
Organizations using Metasploit Pro for penetration testing or vulnerability management, particularly those with shared systems or environments where file system permissions are not strictly controlled, are at risk. Legacy Metasploit Pro installations running versions prior to 4.16.0-2019091001 are also vulnerable.
disclosure
漏洞利用状态
EPSS
0.10% (26% 百分位)
CVSS 向量
The primary mitigation for CVE-2019-5642 is to upgrade Metasploit Pro to version 4.16.0-2019091001 or later, which addresses the insecure file permissions. If an immediate upgrade is not feasible, consider restricting access to the system where Metasploit Pro is installed to only authorized personnel. Additionally, review file system permissions on existing Metasploit Pro installations to ensure the server.key file is not world-readable. After upgrading, verify the fix by confirming the server.key file has restricted permissions (e.g., only readable by the Metasploit Pro user).
Actualice Metasploit Pro a la versión 4.16.0-2019091001 o posterior. Esto corregirá los permisos del archivo server.key y evitará el acceso no autorizado a las comunicaciones web.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2019-5642 is a LOW severity vulnerability in Metasploit Pro where the server.key file is stored with world-readable permissions, potentially allowing unauthorized access to communications.
You are affected if you are using Metasploit Pro versions 4.16.0-2019081901 or earlier. Upgrade to mitigate the risk.
Upgrade Metasploit Pro to version 4.16.0-2019091001 or later. Also, review file system permissions to ensure the server.key file is not world-readable.
There is no current evidence of active exploitation campaigns targeting CVE-2019-5642.
Refer to the Rapid7 security advisory for details: https://www.rapid7.com/blog/post/2019/11/06/metasploit-pro-security-update/