CVE: CVE-2022-29527

Export to Word

Amazon AWS amazon-ssm-agent before 3.1.1208.0 creates a world-writable sudoers file, which allows local attackers to inject Sudo rules and escalate privileges to root. This occurs in certain situations involving a race condition.

Threat-Mapped Scoring

Score: 0.0

Priority: Unclassified

EPSS

Score: 0.00045
Percentile: 0.13693

CVSS Scoring

CVSS v3.1 Score: 7.0

Severity: HIGH

Mapped CWE(s)

CWE-362 : Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CWE-732 : Incorrect Permission Assignment for Critical Resource

All CAPEC(s)

CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs
CAPEC-122: Privilege Abuse
CAPEC-127: Directory Indexing
CAPEC-17: Using Malicious Files
CAPEC-180: Exploiting Incorrectly Configured Access Control Security Levels
CAPEC-206: Signing Malicious Code
CAPEC-234: Hijacking a privileged process
CAPEC-26: Leveraging Race Conditions
CAPEC-29: Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
CAPEC-60: Reusing Session IDs (aka Session Replay)
CAPEC-61: Session Fixation
CAPEC-62: Cross Site Request Forgery
CAPEC-642: Replace Binaries

CAPEC(s) with Mapped TTPs

CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs
Mapped TTPs:
- T1574.010 : Services File Permissions Weakness
CAPEC-122: Privilege Abuse
Mapped TTPs:
- T1548 : Abuse Elevation Control Mechanism
CAPEC-127: Directory Indexing
Mapped TTPs:
- T1083 : File and Directory Discovery
CAPEC-17: Using Malicious Files
Mapped TTPs:
- T1574.005 : Executable Installer File Permissions Weakness
- T1574.010 : Services File Permissions Weakness
CAPEC-180: Exploiting Incorrectly Configured Access Control Security Levels
Mapped TTPs:
- T1574.010 : Services File Permissions Weakness
CAPEC-206: Signing Malicious Code
Mapped TTPs:
- T1553.002 : Code Signing
CAPEC-60: Reusing Session IDs (aka Session Replay)
Mapped TTPs:
- T1134.001 : Token Impersonation/Theft
- T1550.004 : Web Session Cookie
CAPEC-642: Replace Binaries
Mapped TTPs:
- T1505.005 : Terminal Services DLL
- T1554 : Compromise Host Software Binary
- T1574.005 : Executable Installer File Permissions Weakness

Mapped ATT&CK TTPs

T1574.010 : Services File Permissions Weakness
Kill Chain: persistence
T1548 : Abuse Elevation Control Mechanism
Kill Chain: privilege-escalation
T1083 : File and Directory Discovery
Kill Chain: discovery
T1574.005 : Executable Installer File Permissions Weakness
Kill Chain: persistence
T1574.010 : Services File Permissions Weakness
Kill Chain: persistence
T1574.010 : Services File Permissions Weakness
Kill Chain: persistence
T1553.002 : Code Signing
Kill Chain: defense-evasion
T1134.001 : Token Impersonation/Theft
Kill Chain: defense-evasion
T1550.004 : Web Session Cookie
Kill Chain: defense-evasion
T1505.005 : Terminal Services DLL
Kill Chain: persistence
T1554 : Compromise Host Software Binary
Kill Chain: persistence
T1574.005 : Executable Installer File Permissions Weakness
Kill Chain: persistence

Malware

APTs Threat Group Associations

Campaigns

Operation Wocao
APT41 DUST
SolarWinds Compromise
Operation CuckooBees
Operation Honeybee
2016 Ukraine Electric Power Attack
RedDelta Modified PlugX Infection Chain Operations
Operation Dream Job
C0015
Night Dragon
HomeLand Justice
Cutting Edge
KV Botnet Activity

Affected Products

cpe:2.3:a:amazon:amazon_ssm_agent:*:*:*:*:*:*:*:*

← Back to Home