CVE-2024-29500
📋 TL;DR
This vulnerability in Secure Lockdown Multi Application Edition's kiosk mode allows attackers to bypass security restrictions and execute arbitrary code via ClickOnce applications. It affects organizations using this software for public-facing kiosks or secure workstations. The high CVSS score indicates critical severity with network-accessible attack vectors.
💻 Affected Systems
- Secure Lockdown Multi Application Edition
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to install malware, steal sensitive data, pivot to internal networks, and establish persistent access to kiosk systems.
Likely Case
Attackers bypass kiosk restrictions to run unauthorized applications, potentially accessing local files, installing keyloggers, or using the system as a beachhead for further attacks.
If Mitigated
Limited impact if proper network segmentation, application whitelisting, and ClickOnce restrictions are in place, though kiosk functionality remains compromised.
🎯 Exploit Status
Detailed exploitation techniques published in referenced blog posts. Attack requires user interaction but can be automated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: None found in provided references
Restart Required: No
Instructions:
No official patch available. Check vendor website for updates and apply immediately when released.
🔧 Temporary Workarounds
Disable ClickOnce Execution
windowsBlock ClickOnce application execution via Group Policy or registry settings
reg add "HKLM\SOFTWARE\Microsoft\.NETFramework\Security\TrustManager\PromptingLevel" /v "MyComputer" /t REG_SZ /d "Disabled" /f
reg add "HKLM\SOFTWARE\Microsoft\.NETFramework\Security\TrustManager\PromptingLevel" /v "LocalIntranet" /t REG_SZ /d "Disabled" /f
reg add "HKLM\SOFTWARE\Microsoft\.NETFramework\Security\TrustManager\PromptingLevel" /v "Internet" /t REG_SZ /d "Disabled" /f
Application Whitelisting
windowsImplement strict application control policies to only allow approved executables
# Configure AppLocker or Windows Defender Application Control policies
🧯 If You Can't Patch
- Isolate kiosk systems on separate network segments with no internal network access
- Implement physical security controls to prevent unauthorized access to kiosk interfaces
🔍 How to Verify
Check if Vulnerable:
Check if Secure Lockdown Multi Application Edition version 2.00.219 is installed and kiosk mode is enabledCheck Version:
Check program files directory or registry: HKEY_LOCAL_MACHINE\SOFTWARE\Inteset\Secure LockdownVerify Fix Applied:
Test if ClickOnce applications can still execute when kiosk mode is active📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs showing ClickOnce application execution (Event ID 3000-3010)
- Unexpected process creation from ClickOnce deployment files (*.application)
Network Indicators:
- Outbound connections from kiosk systems to unexpected domains
- Download of ClickOnce manifest files
SIEM Query:
Process Creation where (CommandLine contains ".application" OR Image contains "dfsvc.exe") AND User contains "kiosk"