7.9 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:H
6.9 Medium
AI Score
Confidence
Low
0.0004 Low
EPSS
Percentile
15.5%
The version of Wix Toolset installed on the remote host is prior to 3.14.1 or 4.x prior to 4.0.5. It is, therefore, affected by multiple vulnerabilities.
The custom action behind WiX’s RemoveFolderEx
functionality could allow a standard user to delete protected directories. RemoveFolderEx
deletes an entire directory tree during installation or uninstallation. It does so by recursing every subdirectory starting at a specified directory and adding each subdirectory to the list of directories Windows Installer should delete. If the setup author instructed RemoveFolderEx
to delete a per-user folder from a per-machine installer, an attacker could create a directory junction in that per-user folder pointing to a per-machine, protected directory.
Windows Installer, when executing the per-machine installer after approval by an administrator, would delete the target of the directory junction. (CVE-2024-29188)
When a bundle runs as SYSTEM user, Burn uses GetTempPathW which points to an insecure directory C:\Windows\Temp to drop and load multiple binaries. Standard users can hijack the binary before it’s loaded in the application resulting in elevation of privileges. (CVE-2024-29187)
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
include('compat.inc');
if (description)
{
script_id(192645);
script_version("1.2");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/03/29");
script_cve_id("CVE-2024-29187", "CVE-2024-29188");
script_xref(name:"IAVA", value:"2024-A-0180");
script_name(english:"Wix Toolset < 3.14.1 / 4.x < 4.0.5 Multiple Vulnerabilities");
script_set_attribute(attribute:"synopsis", value:
"The Wix Toolset installed on the remote host is affected by multiple vulnerabilities.");
script_set_attribute(attribute:"description", value:
"The version of Wix Toolset installed on the remote host is prior to 3.14.1 or 4.x prior to 4.0.5. It is,
therefore, affected by multiple vulnerabilities.
- The custom action behind WiX's `RemoveFolderEx` functionality could allow a standard user to delete
protected directories. `RemoveFolderEx` deletes an entire directory tree during installation or
uninstallation. It does so by recursing every subdirectory starting at a specified directory and adding
each subdirectory to the list of directories Windows Installer should delete. If the setup author
instructed `RemoveFolderEx` to delete a per-user folder from a per-machine installer, an attacker could
create a directory junction in that per-user folder pointing to a per-machine, protected directory.
Windows Installer, when executing the per-machine installer after approval by an administrator, would
delete the target of the directory junction. (CVE-2024-29188)
- When a bundle runs as SYSTEM user, Burn uses GetTempPathW which points to an insecure directory
C:\Windows\Temp to drop and load multiple binaries. Standard users can hijack the binary before it's
loaded in the application resulting in elevation of privileges. (CVE-2024-29187)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://github.com/advisories/GHSA-jx4p-m4wm-vvjg");
# https://www.firegiant.com/blog/2024/3/22/wix-security-releases-available-redux/
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?3cb33181");
# https://github.com/wixtoolset/issues/security/advisories/GHSA-rf39-3f98-xr7r
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?afee5f1a");
script_set_attribute(attribute:"solution", value:
"Upgrade to Wix Toolset version 3.14.1, 4.0.5 or later.");
script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2024-29187");
script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2024-29188");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2024/03/22");
script_set_attribute(attribute:"patch_publication_date", value:"2024/03/22");
script_set_attribute(attribute:"plugin_publication_date", value:"2024/03/28");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"x-cpe:/a:wix_toolset:wix");
script_set_attribute(attribute:"stig_severity", value:"I");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Windows");
script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("wix_win_installed.nbin");
script_require_keys("installed_sw/Wix");
exit(0);
}
include('vcf.inc');
get_kb_item_or_exit('SMB/Registry/Enumerated');
var app_info = vcf::get_app_info(app:'Wix', win_local:TRUE);
var constraints = [
{'fixed_version': '3.14.1'},
{'min_version': '4.0', 'fixed_version': '4.0.5'}
];
vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);
Vendor | Product | Version | CPE |
---|---|---|---|
wix_toolset | wix | x-cpe:/a:wix_toolset:wix |
7.9 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:H
6.9 Medium
AI Score
Confidence
Low
0.0004 Low
EPSS
Percentile
15.5%