CVE-2024-29187 - Vulnerability Details - OpenCVE

WiX toolset lets developers create installers for Windows Installer, the Windows installation engine. When a bundle runs as SYSTEM user, Burn uses GetTempPathW which points to an insecure directory C:\Windows\Temp to drop and load multiple binaries. Standard users can hijack the binary before it's loaded in the application resulting in elevation of privileges. This vulnerability is fixed in 3.14.1 and 4.0.5.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00044.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2024-1002	WiX toolset lets developers create installers for Windows Installer, the Windows installation engine. When a bundle runs as SYSTEM user, Burn uses GetTempPathW which points to an insecure directory C:\Windows\Temp to drop and load multiple binaries. Standard users can hijack the binary before it's loaded in the application resulting in elevation of privileges. This vulnerability is fixed in 3.14.1 and 4.0.5.
Github GHSA	GHSA-rf39-3f98-xr7r	WiX based installers are vulnerable to binary hijack when run as SYSTEM

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/wixtoolset/issues/security/advisories/GHSA-rf39-3f98-xr7r
https://github.com/wixtoolset/wix/commit/75a8c75d4e02ea219008dc5af7d03869291d61f7
https://github.com/wixtoolset/wix3/commit/6d372e5169f1a334a395cdf496443bc0732098e9

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-03-24T19:38:38.140Z

Updated: 2024-08-13T14:28:49.838Z

Reserved: 2024-03-18T17:07:00.094Z

Link: CVE-2024-29187

Vulnrichment

Updated: 2024-08-02T01:10:54.048Z

NVD

Status : Awaiting Analysis

Published: 2024-03-24T20:15:08.003

Modified: 2024-11-21T09:07:45.380

Link: CVE-2024-29187

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-29187", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-03-18T17:07:00.094Z", "datePublished": "2024-03-24T19:38:38.140Z", "dateUpdated": "2024-08-13T14:28:49.838Z"}, "containers": {"cna": {"title": "WiX based installers are vulnerable to binary hijack when run as SYSTEM", "problemTypes": [{"descriptions": [{"cweId": "CWE-732", "lang": "en", "description": "CWE-732: Incorrect Permission Assignment for Critical Resource", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/wixtoolset/issues/security/advisories/GHSA-rf39-3f98-xr7r", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/wixtoolset/issues/security/advisories/GHSA-rf39-3f98-xr7r"}, {"name": "https://github.com/wixtoolset/wix/commit/75a8c75d4e02ea219008dc5af7d03869291d61f7", "tags": ["x_refsource_MISC"], "url": "https://github.com/wixtoolset/wix/commit/75a8c75d4e02ea219008dc5af7d03869291d61f7"}, {"name": "https://github.com/wixtoolset/wix3/commit/6d372e5169f1a334a395cdf496443bc0732098e9", "tags": ["x_refsource_MISC"], "url": "https://github.com/wixtoolset/wix3/commit/6d372e5169f1a334a395cdf496443bc0732098e9"}], "affected": [{"vendor": "wixtoolset", "product": "issues", "versions": [{"version": "< 3.14.1", "status": "affected"}, {"version": ">= 4.0.0, < 4.0.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-03-24T19:46:06.327Z"}, "descriptions": [{"lang": "en", "value": "WiX toolset lets developers create installers for Windows Installer, the Windows installation engine. When a bundle runs as SYSTEM user, Burn uses GetTempPathW which points to an insecure directory C:\\Windows\\Temp to drop and load multiple binaries. Standard users can hijack the binary before it's loaded in the application resulting in elevation of privileges. This vulnerability is fixed in 3.14.1 and 4.0.5."}], "source": {"advisory": "GHSA-rf39-3f98-xr7r", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T01:10:54.048Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/wixtoolset/issues/security/advisories/GHSA-rf39-3f98-xr7r", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/wixtoolset/issues/security/advisories/GHSA-rf39-3f98-xr7r"}, {"name": "https://github.com/wixtoolset/wix/commit/75a8c75d4e02ea219008dc5af7d03869291d61f7", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/wixtoolset/wix/commit/75a8c75d4e02ea219008dc5af7d03869291d61f7"}, {"name": "https://github.com/wixtoolset/wix3/commit/6d372e5169f1a334a395cdf496443bc0732098e9", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/wixtoolset/wix3/commit/6d372e5169f1a334a395cdf496443bc0732098e9"}]}, {"affected": [{"vendor": "wixtoolset_project", "product": "burn", "cpes": ["cpe:2.3:a:wixtoolset_project:burn:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "3.14.1", "versionType": "custom"}, {"version": "4.0.0", "status": "affected", "lessThan": "4.0.5", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-13T14:26:34.154132Z", "id": "CVE-2024-29187", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-13T14:28:49.838Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/wixtoolset/issues/security/advisories/GHSA-rf39-3f98-xr7r", "name": "https://github.com/wixtoolset/issues/security/advisories/GHSA-rf39-3f98-xr7r", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/wixtoolset/wix/commit/75a8c75d4e02ea219008dc5af7d03869291d61f7", "name": "https://github.com/wixtoolset/wix/commit/75a8c75d4e02ea219008dc5af7d03869291d61f7", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/wixtoolset/wix3/commit/6d372e5169f1a334a395cdf496443bc0732098e9", "name": "https://github.com/wixtoolset/wix3/commit/6d372e5169f1a334a395cdf496443bc0732098e9", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T01:10:54.048Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-29187", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-08-13T14:26:34.154132Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:wixtoolset_project:burn:*:*:*:*:*:*:*:*"], "vendor": "wixtoolset_project", "product": "burn", "versions": [{"status": "affected", "version": "0", "lessThan": "3.14.1", "versionType": "custom"}, {"status": "affected", "version": "4.0.0", "lessThan": "4.0.5", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-13T14:28:33.809Z"}}], "cna": {"title": "WiX based installers are vulnerable to binary hijack when run as SYSTEM", "source": {"advisory": "GHSA-rf39-3f98-xr7r", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "wixtoolset", "product": "issues", "versions": [{"status": "affected", "version": "< 3.14.1"}, {"status": "affected", "version": ">= 4.0.0, < 4.0.5"}]}], "references": [{"url": "https://github.com/wixtoolset/issues/security/advisories/GHSA-rf39-3f98-xr7r", "name": "https://github.com/wixtoolset/issues/security/advisories/GHSA-rf39-3f98-xr7r", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/wixtoolset/wix/commit/75a8c75d4e02ea219008dc5af7d03869291d61f7", "name": "https://github.com/wixtoolset/wix/commit/75a8c75d4e02ea219008dc5af7d03869291d61f7", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/wixtoolset/wix3/commit/6d372e5169f1a334a395cdf496443bc0732098e9", "name": "https://github.com/wixtoolset/wix3/commit/6d372e5169f1a334a395cdf496443bc0732098e9", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "WiX toolset lets developers create installers for Windows Installer, the Windows installation engine. When a bundle runs as SYSTEM user, Burn uses GetTempPathW which points to an insecure directory C:\\Windows\\Temp to drop and load multiple binaries. Standard users can hijack the binary before it's loaded in the application resulting in elevation of privileges. This vulnerability is fixed in 3.14.1 and 4.0.5."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-732", "description": "CWE-732: Incorrect Permission Assignment for Critical Resource"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-03-24T19:46:06.327Z"}}}, "cveMetadata": {"cveId": "CVE-2024-29187", "state": "PUBLISHED", "dateUpdated": "2024-08-13T14:28:49.838Z", "dateReserved": "2024-03-18T17:07:00.094Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-03-24T19:38:38.140Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"descriptions": [{"lang": "en", "value": "WiX toolset lets developers create installers for Windows Installer, the Windows installation engine. When a bundle runs as SYSTEM user, Burn uses GetTempPathW which points to an insecure directory C:\\Windows\\Temp to drop and load multiple binaries. Standard users can hijack the binary before it's loaded in the application resulting in elevation of privileges. This vulnerability is fixed in 3.14.1 and 4.0.5."}, {"lang": "es", "value": "El conjunto de herramientas WiX permite a los desarrolladores crear instaladores para Windows Installer, el motor de instalaci\u00f3n de Windows. Cuando un paquete se ejecuta como usuario del SYSTEMA, Burn usa GetTempPathW que apunta a un directorio inseguro C:\\Windows\\Temp para colocar y cargar m\u00faltiples archivos binarios. Los usuarios est\u00e1ndar pueden secuestrar el binario antes de que se cargue en la aplicaci\u00f3n, lo que resulta en una elevaci\u00f3n de privilegios. Esta vulnerabilidad se solucion\u00f3 en 3.14.1 y 4.0.5."}], "id": "CVE-2024-29187", "lastModified": "2024-11-21T09:07:45.380", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-03-24T20:15:08.003", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/wixtoolset/issues/security/advisories/GHSA-rf39-3f98-xr7r"}, {"source": "security-advisories@github.com", "url": "https://github.com/wixtoolset/wix/commit/75a8c75d4e02ea219008dc5af7d03869291d61f7"}, {"source": "security-advisories@github.com", "url": "https://github.com/wixtoolset/wix3/commit/6d372e5169f1a334a395cdf496443bc0732098e9"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/wixtoolset/issues/security/advisories/GHSA-rf39-3f98-xr7r"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/wixtoolset/wix/commit/75a8c75d4e02ea219008dc5af7d03869291d61f7"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/wixtoolset/wix3/commit/6d372e5169f1a334a395cdf496443bc0732098e9"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-732"}], "source": "security-advisories@github.com", "type": "Secondary"}]}