CVE-2024-36495
📋 TL;DR
Faronics WINSelect stores its encrypted configuration file with overly permissive 'Everyone' read/write permissions, allowing any local user to modify or read the configuration. This affects both Standard and Enterprise editions of WINSelect on Windows systems where the vulnerable file permissions exist.
💻 Affected Systems
- Faronics WINSelect Standard
- Faronics WINSelect Enterprise
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
An attacker with local access could modify the configuration to disable security controls, escalate privileges, or alter system settings to compromise the entire workstation.
Likely Case
Malicious local users or malware could tamper with WINSelect settings to bypass application restrictions or modify system behavior.
If Mitigated
With proper file permissions, only authorized administrators can modify the configuration, limiting impact to configuration integrity issues.
🎯 Exploit Status
Exploitation requires local file system access but is trivial once access is obtained. Public disclosure includes technical details.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor documentation for latest patched versions
Vendor Advisory: https://www.faronics.com/en-uk/document-library/document/winselect-standard-release-notes
Restart Required: Yes
Instructions:
1. Update to latest WINSelect version from Faronics. 2. Apply vendor-recommended patches. 3. Restart affected systems.
🔧 Temporary Workarounds
Restrict File Permissions
windowsModify NTFS permissions on configuration files to remove 'Everyone' group and restrict to SYSTEM and Administrators only
icacls "C:\ProgramData\WINSelect\WINSelect.wsd" /inheritance:r /grant:r "SYSTEM:(F)" /grant:r "Administrators:(F)"
icacls "C:\ProgramData\Faronics\StorageSpace\WS\WINSelect.wsd" /inheritance:r /grant:r "SYSTEM:(F)" /grant:r "Administrators:(F)"
🧯 If You Can't Patch
- Implement strict access controls to limit local user access to affected systems
- Monitor file integrity of WINSelect configuration files for unauthorized changes
🔍 How to Verify
Check if Vulnerable:
Check file permissions on C:\ProgramData\WINSelect\WINSelect.wsd and C:\ProgramData\Faronics\StorageSpace\WS\WINSelect.wsd using 'icacls' command or File Explorer propertiesCheck Version:
Check WINSelect version in Control Panel > Programs and Features or via vendor documentationVerify Fix Applied:
Verify 'Everyone' group no longer has read/write permissions on configuration files and only SYSTEM/Administrators have access📡 Detection & Monitoring
Log Indicators:
- File modification events on WINSelect.wsd files from non-administrative users
- Windows Security event logs showing unauthorized file access attempts
Network Indicators:
- No direct network indicators - local file system activity only
SIEM Query:
EventID=4663 AND ObjectName LIKE '%WINSelect.wsd' AND SubjectUserName NOT IN ('SYSTEM', 'Administrator', admin_users)🔗 References
- http://seclists.org/fulldisclosure/2024/Jun/12
- https://r.sec-consult.com/winselect
- https://www.faronics.com/en-uk/document-library/document/winselect-standard-release-notes
- http://seclists.org/fulldisclosure/2024/Jun/12
- https://r.sec-consult.com/winselect
- https://www.faronics.com/en-uk/document-library/document/winselect-standard-release-notes
