CVE-2024-29188
Improper Link Resolution Before File Access ('Link Following') (CWE-59)
WiX toolset lets developers create installers for Windows Installer, the Windows installation engine. The custom action behind WiX's `RemoveFolderEx` functionality could allow a standard user to delete protected directories. `RemoveFolderEx` deletes an entire directory tree during installation or uninstallation. It does so by recursing every subdirectory starting at a specified directory and adding each subdirectory to the list of directories Windows Installer should delete. If the setup author instructed `RemoveFolderEx` to delete a per-user folder from a per-machine installer, an attacker could create a directory junction in that per-user folder pointing to a per-machine, protected directory. Windows Installer, when executing the per-machine installer after approval by an administrator, would delete the target of the directory junction. This vulnerability is fixed in 3.14.1 and 4.0.5.
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:H
Timeline
NVD published the first details for CVE-2024-29188
Feedly found the first article mentioning CVE-2024-29188. See article
Detection for the vulnerability has been added to Nessus (192645)
EPSS Score was set to: 0.05% (Percentile: 13.2%)
The vulnerability CVE-2024-29188 in the WiX Toolset's RemoveFolderEx function allows for potential exploitation by attackers to compromise systems during the installation process. This critical vulnerability has a CVSS score of [insert score if available], with proof-of-concept exploits already circulating in the wild. Mitigations include updating to the latest version of WiX Toolset and implementing detection mechanisms to identify vulnerable installers, as downstream impacts may affect other third-party vendors utilizing the tool. See article