VDE-2024-021

Vulnerability from csaf_wagogmbhcokg - Published: 2024-05-21 06:00 - Updated: 2024-05-21 06:00
Summary
WAGO: Vulnerability in WAGO Navigator
Notes
Summary: The WAGO Navigator versions 1.0.1 and 1.0 are vulnerable due to the use of the WiX toolset version 3.11.2.
Impact: The vulnerabilities affect the previous versions installer itself, leading to a potential privilege escalation during installation of WAGO Navigator. Already installed versions are not affected as long as the installer is not executed again.
Remediation: A fix is available with the WAGO Navigator 1.0.2 and is accessible through the WAGO download center.
CVE-2024-29187

WiX toolset lets developers create installers for Windows Installer, the Windows installation engine. When a bundle runs as SYSTEM user, Burn uses GetTempPathW which points to an insecure directory C:\Windows\Temp to drop and load multiple binaries. Standard users can hijack the binary before it's loaded in the application resulting in elevation of privileges. This vulnerability is fixed in 3.14.1 and 4.0.5.

7.3 (High)
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
CWE-732 - Incorrect Permission Assignment for Critical Resource
Vendor Fix A fix is available with the WAGO Navigator 1.0.2 and is accessible through the WAGO download center.
CVE-2024-24810

WiX toolset lets developers create installers for Windows Installer, the Windows installation engine. The .be TEMP folder is vulnerable to DLL redirection attacks that allow the attacker to escalate privileges. This impacts any installer built with the WiX installer framework. This issue has been patched in version 4.0.4.

7.8 (High)
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-426 - Untrusted Search Path
Vendor Fix A fix is available with the WAGO Navigator 1.0.2 and is accessible through the WAGO download center.
References
Acknowledgments
CERT@VDE certvde.com
To clipboard 

{
  "document": {
    "acknowledgments": [
      {
        "organization": "CERT@VDE",
        "summary": "coordination",
        "urls": [
          "https://certvde.com"
        ]
      }
    ],
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en-GB",
    "notes": [
      {
        "category": "summary",
        "text": "The WAGO Navigator versions 1.0.1 and 1.0 are vulnerable due to the use of the WiX toolset version 3.11.2.",
        "title": "Summary"
      },
      {
        "category": "description",
        "text": "The vulnerabilities affect the previous versions installer itself, leading to a potential privilege escalation during installation of WAGO Navigator. Already installed versions are not affected as long as the installer is not executed again.",
        "title": "Impact"
      },
      {
        "category": "description",
        "text": "A fix is available with the WAGO Navigator 1.0.2 and is accessible through the WAGO download center.",
        "title": "Remediation"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "psirt@wago.com",
      "name": "WAGO GmbH \u0026 Co. KG",
      "namespace": "https://www.wago.com/psirt"
    },
    "references": [
      {
        "category": "self",
        "summary": "VDE-2024-021: WAGO: Vulnerability in WAGO Navigator - HTML",
        "url": "https://certvde.com/en/advisories/VDE-2024-021/"
      },
      {
        "category": "self",
        "summary": "VDE-2024-021: WAGO: Vulnerability in WAGO Navigator - CSAF",
        "url": "https://wago.csaf-tp.certvde.com/.well-known/csaf/white/2024/vde-2024-021.json"
      },
      {
        "category": "external",
        "summary": "Vendor PSIRT",
        "url": "https://www.wago.com/psirt"
      },
      {
        "category": "external",
        "summary": "CERT@VDE Security Advisories for WAGO GmbH \u0026 Co. KG",
        "url": "https://certvde.com/en/advisories/vendor/wago/"
      }
    ],
    "title": "WAGO: Vulnerability in WAGO Navigator",
    "tracking": {
      "aliases": [
        "VDE-2024-021"
      ],
      "current_release_date": "2024-05-21T06:00:00.000Z",
      "generator": {
        "date": "2025-04-30T13:14:28.850Z",
        "engine": {
          "name": "Secvisogram",
          "version": "2.5.24"
        }
      },
      "id": "VDE-2024-021",
      "initial_release_date": "2024-05-21T06:00:00.000Z",
      "revision_history": [
        {
          "date": "2024-05-21T06:00:00.000Z",
          "number": "1",
          "summary": "Initial revision."
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "branches": [
                  {
                    "category": "product_version",
                    "name": "1.0.1",
                    "product": {
                      "name": "WAGO Navigator 1.0.1",
                      "product_id": "CSAFPID-51001"
                    }
                  },
                  {
                    "category": "product_version",
                    "name": "1.0.2",
                    "product": {
                      "name": "WAGO Navigator 1.0.2",
                      "product_id": "CSAFPID-52001"
                    }
                  },
                  {
                    "category": "product_version",
                    "name": "1.0",
                    "product": {
                      "name": "WAGO Navigator 1.0",
                      "product_id": "CSAFPID-51002"
                    }
                  }
                ],
                "category": "product_name",
                "name": "WAGO Navigator"
              }
            ],
            "category": "product_family",
            "name": "Software"
          }
        ],
        "category": "vendor",
        "name": "Wago"
      }
    ],
    "product_groups": [
      {
        "group_id": "CSAFGID-0001",
        "product_ids": [
          "CSAFPID-51001",
          "CSAFPID-51002"
        ],
        "summary": "Affected products."
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-29187",
      "cwe": {
        "id": "CWE-732",
        "name": "Incorrect Permission Assignment for Critical Resource"
      },
      "notes": [
        {
          "category": "description",
          "text": "WiX toolset lets developers create installers for Windows Installer, the Windows installation engine. When a bundle runs as SYSTEM user, Burn uses GetTempPathW which points to an insecure directory C:\\Windows\\Temp to drop and load multiple binaries. Standard users can hijack the binary before it\u0027s loaded in the application resulting in elevation of privileges. This vulnerability is fixed in 3.14.1 and 4.0.5.",
          "title": "Vulnerability Description"
        }
      ],
      "product_status": {
        "fixed": [
          "CSAFPID-52001"
        ],
        "known_affected": [
          "CSAFPID-51001",
          "CSAFPID-51002"
        ]
      },
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "A fix is available with the WAGO Navigator 1.0.2 and is accessible through the WAGO download center.",
          "group_ids": [
            "CSAFGID-0001"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "environmentalScore": 7.3,
            "environmentalSeverity": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "temporalScore": 7.3,
            "temporalSeverity": "HIGH",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-51001",
            "CSAFPID-51002"
          ]
        }
      ],
      "title": "CVE-2024-29187"
    },
    {
      "cve": "CVE-2024-24810",
      "cwe": {
        "id": "CWE-426",
        "name": "Untrusted Search Path"
      },
      "notes": [
        {
          "category": "description",
          "text": "WiX toolset lets developers create installers for Windows Installer, the Windows installation engine. The .be TEMP folder is vulnerable to DLL redirection attacks that allow the attacker to escalate privileges. This impacts any installer built with the WiX installer framework. This issue has been patched in version 4.0.4.",
          "title": "Vulnerability Description"
        }
      ],
      "product_status": {
        "fixed": [
          "CSAFPID-52001"
        ],
        "known_affected": [
          "CSAFPID-51001",
          "CSAFPID-51002"
        ]
      },
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "A fix is available with the WAGO Navigator 1.0.2 and is accessible through the WAGO download center.",
          "group_ids": [
            "CSAFGID-0001"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "environmentalScore": 7.8,
            "environmentalSeverity": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "temporalScore": 7.8,
            "temporalSeverity": "HIGH",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-51001",
            "CSAFPID-51002"
          ]
        }
      ],
      "title": "CVE-2024-24810"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.