CVE-2023-24205
📋 TL;DR
CVE-2023-24205 is a critical remote code execution vulnerability in Clash for Windows that allows attackers to execute arbitrary code by overwriting the configuration file. This affects all users running vulnerable versions of the Clash for Windows application. Successful exploitation gives attackers full control over the affected system.
💻 Affected Systems
- Clash for Windows
📦 What is this software?
Clash by Clash Project
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full administrative control, data exfiltration, ransomware deployment, and persistent backdoor installation.
Likely Case
Malware installation, credential theft, and system compromise leading to data loss or unauthorized access to network resources.
If Mitigated
Limited impact if proper file permissions and application sandboxing prevent configuration file modification.
🎯 Exploit Status
Exploitation requires the ability to write to the configuration file, which can be achieved through various attack vectors including malicious websites or network attacks.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v0.20.13 and later
Vendor Advisory: https://github.com/Fndroid/clash_for_windows_pkg/issues/3891
Restart Required: Yes
Instructions:
1. Download latest version from official GitHub repository. 2. Uninstall current version. 3. Install updated version. 4. Restart system.
🔧 Temporary Workarounds
Restrict configuration file permissions
linuxSet read-only permissions on cfw-setting.yaml file to prevent modification
chmod 444 cfw-setting.yaml
Remove write permissions on Windows
windowsRemove write permissions for all users except SYSTEM/Administrator on the configuration file
icacls "cfw-setting.yaml" /inheritance:r /grant:r "SYSTEM:(F)" /grant:r "Administrators:(F)"
🧯 If You Can't Patch
- Uninstall Clash for Windows immediately
- Implement strict network segmentation and firewall rules to isolate affected systems
🔍 How to Verify
Check if Vulnerable:
Check Clash for Windows version in application settings or About section. If version is v0.20.12 or earlier, you are vulnerable.Check Version:
Check version in application GUI or look for version file in installation directoryVerify Fix Applied:
Verify installed version is v0.20.13 or later. Check that configuration file cannot be modified by non-privileged users.📡 Detection & Monitoring
Log Indicators:
- Unexpected modifications to cfw-setting.yaml file
- Process creation from Clash for Windows with unusual parameters
Network Indicators:
- Unusual outbound connections from Clash for Windows process
- Suspicious configuration file downloads
SIEM Query:
Process Creation where Image contains 'clash' AND CommandLine contains unusual patterns OR File Modification where TargetFile contains 'cfw-setting.yaml'