CVE-2020-7350
published 2020-04-22CVE-2020-7350: Rapid7 Metasploit Framework versions before 5.0.85 suffers from an instance of CWE-78: OS Command Injection, wherein the libnotify plugin accepts untrusted…
PriorityP348high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
4.88%
91.0th percentile
Rapid7 Metasploit Framework versions before 5.0.85 suffers from an instance of CWE-78: OS Command Injection, wherein the libnotify plugin accepts untrusted user-supplied data via a remote computer's hostname or service name. An attacker can create a specially-crafted hostname or service name to be imported by Metasploit from a variety of sources and trigger a command injection on the operator's terminal. Note, only the Metasploit Framework and products that expose the plugin system is susceptible to this issue -- notably, this does not include Rapid7 Metasploit Pro. Also note, this vulnerability cannot be triggered through a normal scan operation -- the attacker would have to supply a file that is processed with the db_import command.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| rapid7 | metasploit | < 5.0.85 | 5.0.85 |
| rapid7 | metasploit_framework | >= 5.0.85 < 5.0.85 | 5.0.85 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for crafted import files (e.g., XML/Nexpose/Nessus exports) containing malicious hostnames or service names with shell metacharacters, processed via the Metasploit `db_import` command. ↗
- →Inspect hostnames and service names ingested by Metasploit's libnotify plugin for OS command injection payloads (shell metacharacters, backticks, $() constructs, semicolons, etc.). ↗
- →Alert on Metasploit Framework versions 5.0.79 and earlier running the libnotify plugin, as these are confirmed vulnerable. ↗
- →Watch for unexpected child processes spawned from the Metasploit operator terminal during or after a `db_import` operation, which may indicate successful command injection via the libnotify plugin. ↗
- ·Only Metasploit Framework and products exposing the plugin system are affected; Rapid7 Metasploit Pro is NOT vulnerable. ↗
- ·The vulnerability is only exploitable via the `db_import` command with a specially crafted file; normal scan operations cannot trigger it. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2020-04-22
Published