CVE-2024-29187Incorrect Permission Assignment in Windows 10 HLK Version 22h2

CWE-732Incorrect Permission AssignmentCWE-284Improper Access Control7 documents6 sources
Severity
7.3HIGHNVD
EPSS
0.1%
top 76.46%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
18
Wixtoolset IssuesMsrc Microsoft Visual Studio 2017 Version 15.9Msrc Microsoft Visual Studio 2019 Version 16.11+15 more
Timeline
PublishedMar 24
Latest updateJun 11

Description

WiX toolset lets developers create installers for Windows Installer, the Windows installation engine. When a bundle runs as SYSTEM user, Burn uses GetTempPathW which points to an insecure directory C:\Windows\Temp to drop and load multiple binaries. Standard users can hijack the binary before it's loaded in the application resulting in elevation of privileges. This vulnerability is fixed in 3.14.1 and 4.0.5.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:HExploitability: 1.3 | Impact: 5.9

Affected Packages18 packages

🔴Vulnerability Details

2
GHSA
WiX based installers are vulnerable to binary hijack when run as SYSTEM2024-03-25
OSV
WiX based installers are vulnerable to binary hijack when run as SYSTEM2024-03-25

📋Vendor Advisories

1
Microsoft
GitHub: CVE-2024-29187 WiX Burn-based bundles are vulnerable to binary hijack when run as SYSTEM2024-06-11

🕵️Threat Intelligence

3
Tenable
Microsoft’s June 2024 Patch Tuesday Addresses 49 CVEs2024-06-11
Trendmicro
The June 2024 Security Update Review2024-06-11
Trendmicro
The June 2024 Security Update Review2024-06-11