CVE-2024-32487
📋 TL;DR
CVE-2024-32487 is a command injection vulnerability in the 'less' pager utility that allows attackers to execute arbitrary OS commands via specially crafted filenames containing newline characters. The vulnerability affects systems where LESSOPEN environment variable is set (common default configuration) and users process untrusted files. This impacts any system using vulnerable versions of 'less' to view files from untrusted sources.
💻 Affected Systems
- less
📦 What is this software?
Less by Greenwoodsoftware
Solidfire by Netapp
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with root privileges if 'less' is executed with elevated permissions on attacker-controlled files, leading to complete system takeover, data exfiltration, or ransomware deployment.
Likely Case
Limited privilege escalation or lateral movement within a compromised environment where users view files from untrusted archives or downloads, potentially leading to user account compromise.
If Mitigated
No impact if proper security controls prevent execution of 'less' on untrusted files or if LESSOPEN is disabled.
🎯 Exploit Status
Exploitation requires user interaction (viewing malicious files) but the technical complexity is low. Proof-of-concept details are publicly available in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 654 and later
Vendor Advisory: https://github.com/gwsw/less/commit/007521ac3c95bc76e3d59c6dbfe75d06c8075c33
Restart Required: No
Instructions:
1. Update 'less' package using system package manager. 2. For Debian/Ubuntu: sudo apt update && sudo apt upgrade less. 3. For RHEL/CentOS: sudo yum update less. 4. For source installation: Download and compile version 654+ from official repository.
🔧 Temporary Workarounds
Disable LESSOPEN
linuxUnset the LESSOPEN environment variable to prevent the vulnerable code path from being triggered
unset LESSOPEN
export LESSOPEN=
Restrict file processing
allImplement policies preventing 'less' from being used on files from untrusted sources
🧯 If You Can't Patch
- Implement strict file handling policies to prevent processing of untrusted files with 'less'
- Use alternative pager utilities (like 'more' or custom viewers) for viewing files from untrusted sources
🔍 How to Verify
Check if Vulnerable:
Check 'less' version: less --version | head -1. If version is 653 or earlier, system is vulnerable. Also check if LESSOPEN is set: echo $LESSOPEN.Check Version:
less --version | head -1Verify Fix Applied:
Verify 'less' version is 654 or later: less --version | head -1. Confirm patch by checking for commit 007521ac3c95bc76e3d59c6dbfe75d06c8075c33 in source.📡 Detection & Monitoring
Log Indicators:
- Unusual command execution following 'less' usage
- Suspicious filenames with newline characters in access logs
- Failed attempts to execute commands via 'less'
Network Indicators:
- Outbound connections from systems after 'less' execution on suspicious files
- Command and control traffic patterns
SIEM Query:
process.name:"less" AND (command_line:"*\n*" OR command_line:"*$LESSOPEN*")🔗 References
- http://www.openwall.com/lists/oss-security/2024/04/15/1
- https://github.com/gwsw/less/commit/007521ac3c95bc76e3d59c6dbfe75d06c8075c33
- https://lists.debian.org/debian-lts-announce/2024/05/msg00018.html
- https://security.netapp.com/advisory/ntap-20240605-0009/
- https://www.openwall.com/lists/oss-security/2024/04/12/5
- https://www.openwall.com/lists/oss-security/2024/04/13/2
- http://www.openwall.com/lists/oss-security/2024/04/15/1
- https://github.com/gwsw/less/commit/007521ac3c95bc76e3d59c6dbfe75d06c8075c33
- https://lists.debian.org/debian-lts-announce/2024/05/msg00018.html
- https://security.netapp.com/advisory/ntap-20240605-0009/
- https://www.openwall.com/lists/oss-security/2024/04/12/5
- https://www.openwall.com/lists/oss-security/2024/04/13/2
