Login Sign Up

CVE-2023-29487

9.1 CRITICAL
Denial of Service

📋 TL;DR

This CVE describes a denial-of-service vulnerability in Heimdal Thor agent's Threat To Process Correlation module. Attackers can exploit this to cause service disruption on affected endpoints. Heimdal disputes this classification, stating it's not a vulnerability but rather a missing feature in DNS logging.

💻 Affected Systems

Products:
  • Heimdal Thor agent
Versions: Windows: 3.4.2 and before, macOS: 2.6.9 and before
Operating Systems: Windows, macOS
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects systems with the Threat To Process Correlation threat prevention module enabled. Heimdal disputes this is a vulnerability.

📦 What is this software?

Thor by Heimdalsecurity

View all CVEs affecting Thor →

Thor by Heimdalsecurity

View all CVEs affecting Thor →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete disruption of Heimdal Thor agent functionality, potentially disabling security monitoring and threat prevention capabilities on endpoints.

🟠

Likely Case

Intermittent service disruption or performance degradation of the Thor agent's threat prevention features.

🟢

If Mitigated

Minimal impact if the Threat To Process Correlation module is disabled or if affected versions are not in use.

🌐 Internet-Facing: LOW - This appears to require local access or network position to target specific endpoints rather than being remotely exploitable.
🏢 Internal Only: MEDIUM - Internal attackers with network access could potentially target vulnerable endpoints to disrupt security monitoring.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation details are not publicly documented. The vendor disputes the vulnerability classification entirely.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: N/A

Vendor Advisory: N/A

Restart Required: No

Instructions:

Heimdal does not acknowledge this as a vulnerability. Consider upgrading to latest versions as general security practice.

🔧 Temporary Workarounds

Disable Threat To Process Correlation

all

Turn off the vulnerable module in Heimdal Thor agent configuration

Specific commands depend on Heimdal management console or configuration files

🧯 If You Can't Patch

  • Disable the Threat To Process Correlation feature in Heimdal Thor agent
  • Implement network segmentation to limit access to endpoints running vulnerable versions

🔍 How to Verify

Check if Vulnerable:

Check Heimdal Thor agent version: Windows - Check installed programs list, macOS - Check application version in About dialog

Check Version:

Windows: wmic product get name,version | findstr Heimdal, macOS: system_profiler SPApplicationsDataType | grep -A 5 Heimdal

Verify Fix Applied:

Verify Threat To Process Correlation module is disabled in agent configuration

📡 Detection & Monitoring

Log Indicators:

  • Heimdal Thor agent service crashes or restarts
  • DNS security module errors in Heimdal logs

Network Indicators:

  • Unusual DNS query patterns from endpoints with Heimdal agent

SIEM Query:

source="heimdal_logs" AND (event_type="service_crash" OR event_type="module_error")

📊 Metadata

CVE ID: CVE-2023-29487
CVSS v3 Score: 9.1 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
CWE: CWE-1333
Published: December 21, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-29487, you might also want to check these:

CVE-2025-62484 8.1

A regular expression complexity vulnerability in Zoom Workplace Clients allows unauthenticated attac...

Same vulnerability type (CWE-1333)
CVE-2024-4148 7.5

A Regular Expression Denial of Service (ReDoS) vulnerability in lunary-ai/lunary version 1.2.10 allo...

Same vulnerability type (CWE-1333)
CVE-2022-31147 7.5

The jQuery Validation Plugin versions before 1.19.5 contain a regular expression denial of service (...

Same vulnerability type (CWE-1333)