CVE-2023-54338
📋 TL;DR
CVE-2023-54338 is an unquoted service path vulnerability in Tftpd32 SE 4.60 that allows local attackers to execute arbitrary code with SYSTEM privileges by placing malicious executables in the unquoted service path. This affects systems running the vulnerable version of Tftpd32 SE with local access to the machine.
💻 Affected Systems
- Tftpd32 SE
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with SYSTEM privileges leading to complete control over the affected system, data theft, and lateral movement within the network.
Likely Case
Local privilege escalation allowing attackers to gain SYSTEM privileges and install persistent backdoors or malware.
If Mitigated
Limited impact if proper access controls prevent local users from writing to service directories.
🎯 Exploit Status
Exploitation requires local access to the system and ability to write to directories in the service path.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not available
Vendor Advisory: https://pjo2.github.io/tftpd64/
Restart Required: Yes
Instructions:
1. Uninstall Tftpd32 SE 4.60
2. Install a different TFTP server solution
3. Consider using Tftpd64 instead (different product)
🔧 Temporary Workarounds
Quote Service Path
windowsManually edit the service configuration to add quotes around the service executable path
sc config "TftpdSE" binPath= "\"C:\Program Files\Tftpd32 SE\tftpdse.exe\""
Restrict Directory Permissions
windowsRemove write permissions for non-administrative users on directories in the service path
icacls "C:\Program Files\Tftpd32 SE" /deny Users:(OI)(CI)W
🧯 If You Can't Patch
- Remove Tftpd32 SE service if not needed
- Implement strict access controls to prevent local users from writing to service directories
🔍 How to Verify
Check if Vulnerable:
Check if Tftpd32 SE 4.60 is installed and running as a service with an unquoted path: sc qc "TftpdSE" | findstr /i "binpath"Check Version:
Check program version in Control Panel > Programs and Features or registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\UninstallVerify Fix Applied:
Verify service path is quoted: sc qc "TftpdSE" | findstr /i "binpath" should show quotes around the executable path📡 Detection & Monitoring
Log Indicators:
- Service control manager events showing service path modifications
- Process creation events for unexpected executables from Tftpd32 SE directory
Network Indicators:
- Unusual outbound connections from SYSTEM context after local user activity
SIEM Query:
EventID=4688 AND NewProcessName="*Tftpd32 SE*" AND SubjectUserName NOT IN ("SYSTEM", "LOCAL SERVICE", "NETWORK SERVICE")