CVE-2022-3913:CVE-2022-3913 describes an improper certificate validation flaw in Rapid7 Nexpose and InsightVM during the update download process for versions 6.6.82 through 6.6.177, which could allow an attacker on an adjacent network to intercept or redirect update traffic; a fix was released in 6.6.178.

splash
Back

Description Preview

Rapid7 Nexpose and InsightVM versions 6.6.82 through 6.6.177 fail to validate the update server’s TLS certificate when downloading updates. This weakness could enable a privileged attacker on the same network path to present a rogue HTTPS endpoint or redirect traffic to the attacker’s server, potentially intercepting communications. Exploitation requires pre-existing access to at least one node on the network path and the ability to spoof the update server’s FQDN or redirect legitimate traffic. Even in this scenario, the attacker could not normally replace an update package with a malicious one because the update process validates a separate code-signing certificate. The vulnerability was addressed in update 6.6.178, released on February 1, 2023. CVSS v3.1 metrics indicate an Attack Vector of Adjacent Network, High Confidentiality impact, No Availability or Integrity impacts, and a base score of 5.3 (Medium). CWE-295 (Improper Certificate Validation) is the associated weakness.

Overview

Rapid7 Nexpose and InsightVM releases prior to 6.6.178 failed to properly validate the update server’s TLS certificate when downloading updates, creating a risk that an attacker on the same network path could spoof the update endpoint or intercept traffic. Although the upgrade mechanism still validates a separate code-signing certificate, enabling some protection against tampering, the TLS validation issue could allow man-in-the-middle activity for applicable versions 6.6.82–6.6.177. The issue was fixed in update 6.6.178, released February 1, 2023.

Remediation

  • Upgrade to Nexpose/InsightVM version 6.6.178 or newer (the fixed release) to ensure proper update server certificate validation.
  • After upgrading, verify that the update download mechanism validates the update server’s TLS certificate and that update packages remain protected by code-signing verification.
  • If immediate upgrade is not possible, implement network-level mitigations to reduce risk (e.g., restrict update traffic to trusted update servers, monitor TLS certificates and interception indicators, and enforce network segmentation and access controls on the update path).
  • Validate the remediation by testing the update flow in a controlled environment and confirming updates are retrieved from the legitimate update server without TLS interception.
  • Review Rapid7’s release notes and advisories to confirm patch applicability and guidance, and plan the rollout to all affected instances.

References

Industry ExposureMost to least
This section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.

  1. Educational Services: Low
    Educational Services
  2. Manufacturing: Low
    Manufacturing
  3. Public Administration: Low
    Public Administration
  4. Accommodation & Food Services: Low
    Accommodation & Food Services
  5. Administrative, Support, Waste Management & Remediation Services: Low
    Administrative, Support, Waste Management & Remediation Services
  6. Agriculture, Forestry Fishing & Hunting: Low
    Agriculture, Forestry Fishing & Hunting
  7. Arts, Entertainment & Recreation: Low
    Arts, Entertainment & Recreation
  8. Construction: Low
    Construction
  9. Finance and Insurance: Low
    Finance and Insurance
  10. Health Care & Social Assistance: Low
    Health Care & Social Assistance
  11. Information: Low
    Information
  12. Management of Companies & Enterprises: Low
    Management of Companies & Enterprises
  13. Mining: Low
    Mining
  14. Other Services (except Public Administration): Low
    Other Services (except Public Administration)
  15. Professional, Scientific, & Technical Services: Low
    Professional, Scientific, & Technical Services
  16. Real Estate Rental & Leasing: Low
    Real Estate Rental & Leasing
  17. Retail Trade: Low
    Retail Trade
  18. Transportation & Warehousing: Low
    Transportation & Warehousing
  19. Utilities: Low
    Utilities
  20. Wholesale Trade: Low
    Wholesale Trade

Focus on What Matters

  1. See Everything.
  2. Identify True Risk.
  3. Proactively Mitigate Threats.

Let's talk!

background