CVE-2024-24810 in Toolsetinfo

Summary

by MITRE • 02/07/2024

WiX toolset lets developers create installers for Windows Installer, the Windows installation engine. The .be TEMP folder is vulnerable to DLL redirection attacks that allow the attacker to escalate privileges. This impacts any installer built with the WiX installer framework. This issue has been patched in version 4.0.4.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 03/01/2024

The vulnerability identified as CVE-2024-24810 affects the WiX toolset, a widely used framework for creating Windows Installer packages that are essential for software deployment on Microsoft Windows platforms. This toolset enables developers to build installers that leverage the Windows installation engine, making it a critical component in enterprise software distribution and system administration workflows. The vulnerability specifically targets the temporary folder structure used during installation processes, creating a significant security risk that impacts all installers constructed using this framework.

The technical flaw manifests through a DLL redirection attack vector that exploits the .be TEMP folder naming convention and directory structure within the WiX toolset's installation process. When installers execute, they may inadvertently load malicious dynamic link libraries from the temporary directory instead of the legitimate system libraries, allowing attackers to inject arbitrary code. This privilege escalation vulnerability occurs because the installer process does not properly validate or restrict the loading of dynamic libraries from temporary directories, creating an attack surface where malicious DLLs can be placed before legitimate ones are loaded. The vulnerability is classified under CWE-427 Uncontrolled Search Path Element, which describes situations where applications search for libraries in directories that can be manipulated by attackers.

The operational impact of this vulnerability extends across numerous deployment scenarios where WiX-based installers are utilized, affecting both enterprise environments and individual users who rely on software installations built with this framework. Attackers can exploit this weakness to execute arbitrary code with elevated privileges during the installation process, potentially leading to complete system compromise. The vulnerability is particularly dangerous because it can be exploited without requiring user interaction beyond running an installer, making it a significant concern for organizations that distribute software through WiX-based installers. This issue affects the integrity of the entire installation process and can undermine the security posture of systems that rely on these deployment mechanisms.

Organizations should immediately update to WiX toolset version 4.0.4, which contains the necessary patches to address the DLL redirection vulnerability. System administrators should conduct comprehensive inventory checks to identify all systems running installers built with vulnerable versions of the WiX toolset, particularly in enterprise environments where software deployment automation is common. Security teams should implement monitoring for suspicious activity in temporary directories during installation processes and consider restricting write permissions to temporary folders to prevent unauthorized DLL placement. The mitigation strategy should also include verifying the integrity of all installers built with the WiX toolset and implementing proper code signing practices to ensure that only trusted components are executed during installation. This vulnerability aligns with ATT&CK technique T1059.001 Command and Scripting Interpreter: PowerShell, as attackers may use PowerShell scripts to manipulate temporary directories and place malicious DLLs in strategic locations for privilege escalation.

Responsible

GitHub, Inc.

Reservation

01/31/2024

Disclosure

02/07/2024

Moderation

accepted

CPE

ready

EPSS

0.00235

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!