CVE-2024-24810 – The WiX toolset vulnerability allows attackers ... (How to Fix)

Q: What is the severity of CVE-2024-24810?

CVE-2024-24810 has a CVSS score of 8.2 (HIGH). The WiX toolset vulnerability allows attackers to perform DLL redirection attacks via the .be TEMP folder, enabling privilege escalation. This affects any Windows installer built with the WiX framework. Attackers can exploit this to gain elevated privileges on systems running vulnerable installers.

📋 TL;DR

The WiX toolset vulnerability allows attackers to perform DLL redirection attacks via the .be TEMP folder, enabling privilege escalation. This affects any Windows installer built with the WiX framework. Attackers can exploit this to gain elevated privileges on systems running vulnerable installers.

💻 Affected Systems

Products:

WiX Toolset
Any installer built with WiX Toolset

Versions: All versions before 4.0.4

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Windows systems where WiX-built installers are executed.

📦 What is this software?

Wix Toolset by Firegiant

View all CVEs affecting Wix Toolset →

Wix Toolset by Firegiant

View all CVEs affecting Wix Toolset →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with administrative privileges, allowing installation of malware, data theft, or persistence mechanisms.

🟠

Likely Case

Local privilege escalation allowing attackers to execute arbitrary code with higher privileges than their current user context.

🟢

If Mitigated

Limited impact with proper application whitelisting and least privilege principles in place.

🌐 Internet-Facing: LOW

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires local access and ability to place malicious DLLs in specific locations.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.0.4

Vendor Advisory: https://github.com/wixtoolset/issues/security/advisories/GHSA-7wh2-wxc7-9ph5

Restart Required: No

Instructions:

1. Update WiX Toolset to version 4.0.4 or later. 2. Rebuild any existing installers with the patched version. 3. Distribute updated installers to end users.

🔧 Temporary Workarounds

Restrict TEMP folder permissions

windows

Set strict permissions on TEMP folders to prevent unauthorized DLL placement

icacls %TEMP% /deny *S-1-1-0:(OI)(CI)(DE,DC)

Enable DLL Safe Search Mode

windows

Configure Windows to search system directories first for DLLs

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v SafeDllSearchMode /t REG_DWORD /d 1 /f

🧯 If You Can't Patch

Implement application whitelisting to control which executables can run
Use least privilege principles and restrict user permissions to prevent DLL placement in TEMP folders

🔍 How to Verify

Check if Vulnerable:

Check WiX Toolset version: if below 4.0.4, system is vulnerable. Also check if any installed applications use WiX-built installers.

Check Version:

wix --version

Verify Fix Applied:

Verify WiX Toolset version is 4.0.4 or higher. Test installer execution with monitoring for DLL loading from TEMP folders.

📡 Detection & Monitoring

Log Indicators:

Windows Event Logs showing DLL loading from TEMP folders during installer execution
Process Monitor logs showing DLL redirection attempts

Network Indicators:

No network indicators - this is a local privilege escalation vulnerability

SIEM Query:

EventID=7 OR EventID=11 AND ProcessName contains 'msiexec' AND ImageLoaded contains 'TEMP'

📊 Metadata

CVE ID: CVE-2024-24810

CVSS v3 Score: 8.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

CWE: CWE-426

Published: February 7, 2024

Last Updated: November 21, 2024

🔗 References

https://github.com/wixtoolset/issues/security/advisories/GHSA-7wh2-wxc7-9ph5 Vendor Advisory
https://github.com/wixtoolset/issues/security/advisories/GHSA-7wh2-wxc7-9ph5 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-24810, you might also want to check these: