Detections
Analytics

Wix Toolset < 3.14.1 / 4.x < 4.0.5 Multiple Vulnerabilities

high Nessus Plugin ID 192645

Language:

Synopsis

The Wix Toolset installed on the remote host is affected by multiple vulnerabilities.

Description

The version of Wix Toolset installed on the remote host is prior to 3.14.1 or 4.x prior to 4.0.5. It is, therefore, affected by multiple vulnerabilities.

 - The custom action behind WiX's `RemoveFolderEx` functionality could allow a standard user to delete protected directories. `RemoveFolderEx` deletes an entire directory tree during installation or uninstallation. It does so by recursing every subdirectory starting at a specified directory and adding each subdirectory to the list of directories Windows Installer should delete. If the setup author instructed `RemoveFolderEx` to delete a per-user folder from a per-machine installer, an attacker could create a directory junction in that per-user folder pointing to a per-machine, protected directory.
 Windows Installer, when executing the per-machine installer after approval by an administrator, would delete the target of the directory junction. (CVE-2024-29188)

 - When a bundle runs as SYSTEM user, Burn uses GetTempPathW which points to an insecure directory C:\Windows\Temp to drop and load multiple binaries. Standard users can hijack the binary before it's loaded in the application resulting in elevation of privileges. (CVE-2024-29187)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade to Wix Toolset version 3.14.1, 4.0.5 or later.

See Also

https://github.com/advisories/GHSA-jx4p-m4wm-vvjg

http://www.nessus.org/u?3cb33181

http://www.nessus.org/u?afee5f1a

Plugin Details

Severity: High

ID: 192645

File Name: wix_CVE-2024-29188.nasl

Version: 1.2

Type: local

Agent: windows

Family: Windows

Published: 3/28/2024

Updated: 3/29/2024

Configuration: Enable thorough checks

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.1

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2024-29187

CVSS v3

Risk Factor: High

Base Score: 7.9

Temporal Score: 6.9

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS Score Source: CVE-2024-29188

Vulnerability Information

CPE: x-cpe:/a:wix_toolset:wix

Required KB Items: installed_sw/Wix

Exploit Ease: No known exploits are available

Patch Publication Date: 3/22/2024

Vulnerability Publication Date: 3/22/2024

Reference Information

CVE: CVE-2024-29187, CVE-2024-29188

IAVA: 2024-A-0180