CVE-2024-13861 is a vulnerability categorized under CWE-732, indicating incorrect permission assignment for a critical resource within the Sophos Taegis Endpoint Agent for Linux. Specifically, the flaw exists in the Debian package component of the agent in versions older than 1.3.10. This misconfiguration allows local users with limited privileges to perform code injection attacks, resulting in arbitrary code execution with root-level privileges. The vulnerability arises from improper permission settings on files or resources that the agent uses, enabling unauthorized modification or replacement of executable code. Redhat-based systems using RPM packages are not affected, suggesting the issue is isolated to the Debian packaging and installation process. The CVSS 3.1 base score is 7.8 (high), reflecting the local attack vector (AV:L), low attack complexity (AC:L), requiring low privileges (PR:L), no user interaction (UI:N), and full impact on confidentiality, integrity, and availability (C:H/I:H/A:H). While no exploits are currently known in the wild, the vulnerability poses a significant risk due to the potential for privilege escalation and full system compromise on affected Debian-based Linux endpoints running the vulnerable Sophos agent.

The vulnerability allows local attackers to escalate privileges to root by injecting arbitrary code into the Sophos Taegis Endpoint Agent on Debian-based Linux systems. This can lead to complete system compromise, including unauthorized access to sensitive data, modification or deletion of critical files, disruption of endpoint security functions, and potential lateral movement within an organization’s network. Since the agent is a security product, its compromise undermines the overall security posture, potentially allowing attackers to disable or bypass security controls. Organizations relying on Sophos Taegis Endpoint Agent on Debian-based systems face increased risk of insider threats or attackers who gain initial local access. The impact extends to confidentiality, integrity, and availability of affected systems, making this a critical concern for enterprise environments, especially those with sensitive data or regulatory compliance requirements.

Organizations should immediately verify if they are running Sophos Taegis Endpoint Agent on Debian-based Linux distributions with versions older than 1.3.10. The primary mitigation is to upgrade the agent to version 1.3.10 or later, where the permission assignment issue has been corrected. If immediate patching is not feasible, restrict local user access on affected systems to trusted personnel only and implement strict access controls to limit potential exploitation. Regularly audit file and directory permissions related to the Sophos agent to detect unauthorized changes. Employ host-based intrusion detection systems (HIDS) to monitor for suspicious activity indicative of privilege escalation attempts. Additionally, consider isolating critical endpoints and applying the principle of least privilege to reduce the attack surface. Coordination with Sophos support for any interim workarounds or patches is recommended. Finally, maintain comprehensive logging and monitoring to detect any exploitation attempts promptly.