CVE-2024-29187 - OpenCVE

WiX toolset lets developers create installers for Windows Installer, the Windows installation engine. When a bundle runs as SYSTEM user, Burn uses GetTempPathW which points to an insecure directory C:\Windows\Temp to drop and load multiple binaries. Standard users can hijack the binary before it's loaded in the application resulting in elevation of privileges. This vulnerability is fixed in 3.14.1 and 4.0.5.

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

No data.

No data.

References

Link	Resource
https://github.com/wixtoolset/issues/security/advisories/GHSA-rf39-3f98-xr7r
https://github.com/wixtoolset/wix/commit/75a8c75d4e02ea219008dc5af7d03869291d61f7
https://github.com/wixtoolset/wix3/commit/6d372e5169f1a334a395cdf496443bc0732098e9

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-03-24T19:38:38.140Z

Updated: 2024-03-24T19:46:06.327Z

Reserved: 2024-03-18T17:07:00.094Z

Link: CVE-2024-29187

JSON object: View

NVD Information

Status : Awaiting Analysis

Published: 2024-03-24T20:15:08.003

Modified: 2024-03-25T01:51:01.223

Link: CVE-2024-29187

JSON object: View

Redhat Information

No data.

CWE

CWE-732

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2024-29187", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-03-18T17:07:00.094Z", "datePublished": "2024-03-24T19:38:38.140Z", "dateUpdated": "2024-03-24T19:46:06.327Z"}, "containers": {"cna": {"title": "WiX based installers are vulnerable to binary hijack when run as SYSTEM", "problemTypes": [{"descriptions": [{"cweId": "CWE-732", "lang": "en", "description": "CWE-732: Incorrect Permission Assignment for Critical Resource", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/wixtoolset/issues/security/advisories/GHSA-rf39-3f98-xr7r", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/wixtoolset/issues/security/advisories/GHSA-rf39-3f98-xr7r"}, {"name": "https://github.com/wixtoolset/wix/commit/75a8c75d4e02ea219008dc5af7d03869291d61f7", "tags": ["x_refsource_MISC"], "url": "https://github.com/wixtoolset/wix/commit/75a8c75d4e02ea219008dc5af7d03869291d61f7"}, {"name": "https://github.com/wixtoolset/wix3/commit/6d372e5169f1a334a395cdf496443bc0732098e9", "tags": ["x_refsource_MISC"], "url": "https://github.com/wixtoolset/wix3/commit/6d372e5169f1a334a395cdf496443bc0732098e9"}], "affected": [{"vendor": "wixtoolset", "product": "issues", "versions": [{"version": "< 3.14.1", "status": "affected"}, {"version": ">= 4.0.0, < 4.0.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-03-24T19:46:06.327Z"}, "descriptions": [{"lang": "en", "value": "WiX toolset lets developers create installers for Windows Installer, the Windows installation engine. When a bundle runs as SYSTEM user, Burn uses GetTempPathW which points to an insecure directory C:\\Windows\\Temp to drop and load multiple binaries. Standard users can hijack the binary before it's loaded in the application resulting in elevation of privileges. This vulnerability is fixed in 3.14.1 and 4.0.5."}], "source": {"advisory": "GHSA-rf39-3f98-xr7r", "discovery": "UNKNOWN"}}}}

{"descriptions": [{"lang": "en", "value": "WiX toolset lets developers create installers for Windows Installer, the Windows installation engine. When a bundle runs as SYSTEM user, Burn uses GetTempPathW which points to an insecure directory C:\\Windows\\Temp to drop and load multiple binaries. Standard users can hijack the binary before it's loaded in the application resulting in elevation of privileges. This vulnerability is fixed in 3.14.1 and 4.0.5."}, {"lang": "es", "value": "El conjunto de herramientas WiX permite a los desarrolladores crear instaladores para Windows Installer, el motor de instalaci\u00f3n de Windows. Cuando un paquete se ejecuta como usuario del SYSTEMA, Burn usa GetTempPathW que apunta a un directorio inseguro C:\\Windows\\Temp para colocar y cargar m\u00faltiples archivos binarios. Los usuarios est\u00e1ndar pueden secuestrar el binario antes de que se cargue en la aplicaci\u00f3n, lo que resulta en una elevaci\u00f3n de privilegios. Esta vulnerabilidad se solucion\u00f3 en 3.14.1 y 4.0.5."}], "id": "CVE-2024-29187", "lastModified": "2024-03-25T01:51:01.223", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-03-24T20:15:08.003", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/wixtoolset/issues/security/advisories/GHSA-rf39-3f98-xr7r"}, {"source": "security-advisories@github.com", "url": "https://github.com/wixtoolset/wix/commit/75a8c75d4e02ea219008dc5af7d03869291d61f7"}, {"source": "security-advisories@github.com", "url": "https://github.com/wixtoolset/wix3/commit/6d372e5169f1a334a395cdf496443bc0732098e9"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-732"}], "source": "security-advisories@github.com", "type": "Secondary"}]}