CVE-2024-23168
📋 TL;DR
This vulnerability allows non-local websites to send malicious commands to the WebSocket API in Xiexe XSOverlay, leading to arbitrary code execution. Users running vulnerable versions of XSOverlay are affected when visiting malicious websites while the software is active.
💻 Affected Systems
- Xiexe XSOverlay
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control over the victim's computer, allowing data theft, ransomware deployment, or persistent backdoor installation.
Likely Case
Malicious website triggers code execution to steal credentials, install malware, or hijack the system for cryptocurrency mining.
If Mitigated
Attack fails due to patched software or network segmentation preventing malicious website access.
🎯 Exploit Status
Exploitation is straightforward - malicious website sends WebSocket commands to localhost:42070. No authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Build 647 and later
Vendor Advisory: https://store.steampowered.com/news/app/1173510?emclan=103582791465938574&emgid=7792991106417394332
Restart Required: Yes
Instructions:
1. Open Steam client. 2. Go to Library. 3. Find XSOverlay. 4. Right-click and select Properties. 5. Go to Updates. 6. Ensure automatic updates are enabled. 7. Restart XSOverlay after update.
🔧 Temporary Workarounds
Disable XSOverlay WebSocket API
windowsTemporarily disable the vulnerable WebSocket API until patching is possible.
Close XSOverlay completely when browsing the web
Block WebSocket Port
windowsBlock the vulnerable port using Windows Firewall to prevent external access.
netsh advfirewall firewall add rule name="Block XSOverlay WS" dir=in action=block protocol=TCP localport=42070
🧯 If You Can't Patch
- Uninstall XSOverlay completely until patching is possible
- Use browser extensions to block WebSocket connections to localhost:42070
🔍 How to Verify
Check if Vulnerable:
Check XSOverlay version in Steam library or application settings. If version is below build 647, you are vulnerable.Check Version:
Check Steam library properties for XSOverlay or look at version in XSOverlay settings panel.Verify Fix Applied:
Verify XSOverlay shows version 647 or higher in application settings.📡 Detection & Monitoring
Log Indicators:
- Unusual WebSocket connections to localhost:42070 from browser processes
- XSOverlay process spawning unexpected child processes
Network Indicators:
- WebSocket traffic to localhost:42070 from browser applications
- Outbound connections from XSOverlay to suspicious domains
SIEM Query:
process_name="XSOverlay.exe" AND (destination_port=42070 OR parent_process="browser.exe")