Security Bulletin

Severity

CVE-2022-24308
03/29/2022
Information Disclosure via Install Process
Medium (4.4)

Severity: Medium

CVE Score: 4.4

CVE Vector String: AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Description: Automox Agent prior to version 37 on Windows and Linux and Version 36 on OSX could allow for a non privileged user to obtain sensitive information during the install process.

Affected Products:

  • Automox Agent prior to version 37 (Windows and Linux)
  • Automox Agent prior to version 36 (OSX)

Source: Reported by Mostafa Soliman

Severity: High

CVE Score: 7.8

CVE Vector String: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description: The Automox Agent prior to Version 32 incorrectly sets permissions on a temporary directory while running in Windows environments.

Affected Products:

  • Automox Agent prior to version 32 (windows only)

Source: Reported by Greg Foss

Severity: High

CVE Score: 7.8

CVE Vector String: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description: The Automox Agent Version 33 incorrectly sets permissions on a temporary directory while running in Windows environments.

Affected Products:

  • Automox Agent version 33 (windows only)

Source: Reported by Adam Nadrowski and Ryan Garbars - Automox Security

Severity: Low

CVE Score: 3.7

CVE Vector String: AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Description: The automox agent exposes an easily guessed endpoint in the Automox AWS infrastructure

Affected Products:

  • Automox agents prior to version 31

Source: Reported by Rapid7 researcher Danny Jordan

Severity: Low

CVE Score: 3.3

CVE Vector String: AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Description: Automox Agent improperly logs sensitive information on the local endpoint.

Affected Products:

  • Automox agents prior to version 31

Source: Reported by Rapid7 researcher Danny Jordan