CVE-2024-36497
📋 TL;DR
CVE-2024-36497 is a critical vulnerability in WINSelect software where decrypted configuration files contain passwords in cleartext. This allows attackers to bypass existing restrictions and completely disable WINSelect security controls. Organizations using WINSelect for application whitelisting and security restrictions are affected.
💻 Affected Systems
- Faronics WINSelect
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of WINSelect security controls allowing unrestricted access to restricted systems, potential lateral movement within networks, and full bypass of application whitelisting protections.
Likely Case
Local attackers or users with file access can extract passwords and disable WINSelect restrictions, allowing execution of unauthorized applications and bypassing security policies.
If Mitigated
With proper access controls and monitoring, impact is limited to authorized users who already have system access but could still bypass application restrictions.
🎯 Exploit Status
Exploitation requires access to configuration files but is technically simple once files are obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not specified in available references
Vendor Advisory: https://www.faronics.com/en-uk/document-library/document/winselect-standard-release-notes
Restart Required: No
Instructions:
Check vendor advisory for updates. Currently no patch available according to disclosure timeline.
🔧 Temporary Workarounds
Restrict Configuration File Access
windowsApply strict file permissions to WINSelect configuration files to prevent unauthorized access
icacls "C:\Program Files\Faronics\WINSelect\*.cfg" /deny Users:(R)
icacls "C:\ProgramData\Faronics\WINSelect\*.cfg" /deny Users:(R)
Monitor Configuration File Access
windowsEnable auditing and monitoring for access to WINSelect configuration files
auditpol /set /subcategory:"File System" /success:enable /failure:enable
🧯 If You Can't Patch
- Implement strict access controls on WINSelect configuration directories
- Monitor for unauthorized access to WINSelect files and investigate any configuration changes
🔍 How to Verify
Check if Vulnerable:
Check if WINSelect configuration files contain cleartext passwords after decryption. Examine configuration files in WINSelect installation and data directories.Check Version:
Check WINSelect version in Control Panel > Programs and Features or via registry: HKEY_LOCAL_MACHINE\SOFTWARE\Faronics\WINSelectVerify Fix Applied:
Verify configuration files no longer contain cleartext passwords and are properly encrypted. Test WINSelect functionality remains intact.📡 Detection & Monitoring
Log Indicators:
- Unauthorized access to WINSelect configuration files
- Changes to WINSelect configuration
- WINSelect service stopping unexpectedly
Network Indicators:
- Unusual outbound connections from WINSelect-protected systems
- Traffic patterns indicating bypassed restrictions
SIEM Query:
EventID=4663 AND ObjectName LIKE "%WINSelect%" AND AccessMask=0x1🔗 References
- http://seclists.org/fulldisclosure/2024/Jun/12
- https://r.sec-consult.com/winselect
- https://www.faronics.com/en-uk/document-library/document/winselect-standard-release-notes
- http://seclists.org/fulldisclosure/2024/Jun/12
- https://r.sec-consult.com/winselect
- https://www.faronics.com/en-uk/document-library/document/winselect-standard-release-notes
