CVE-2021-26908 and CVE-201-26909:


Automox Agent Information Disclosure

In February 2021, two vulnerabilities were discovered and reported to Automox by Danny Jordan of Rapid7. CVE-2021-26908 and CVE-2021-26909 are two information disclosure bugs that affected all Automox agent versions previous to 31. Both vulnerabilities received a low CVSS. Automox began phased agent upgrades last week, and most if not all agents should be upgraded at the time of this disclosure.

CVE-2021-26908, a vulnerability found in the Automox Agent due to improper logging of


sensitive information on the endpoint. CVE-2021-26908 has a CVSS score of 3.3 (Low). Automox has removed all sensitive information from these agent logs.

CVE-2021-26909, with the information disclosed via CVE-2021-26908, an attacker would be armed with enough information to brute force bucket URLs that store uploaded files in S3. Automox has masked and attached a time to live to these URLs to prevent an attacker from guessing them. This vulnerability has been assigned a CVSS score of 3.7(low).

Automox continually works to identify and fix security vulnerabilities in our product and infrastructure. We innovate and improve our platform to protect our customers and their infrastructure from adversaries. We are confident in the effectiveness and security of our products and the processes implemented internally to prevent exploitation. At Automox, we believe that the community around us helps to create a better and safer world and we would like to thank Danny Jordan and the Rapid 7 team for helping us secure our product for our end users.

For additional information on these vulnerabilities, please see Rapid 7’s disclosure blog below: