6.5 CVE-2024-43451

CISA Kev Catalog Path Traversal Patch
 

NTLM Hash Disclosure Spoofing Vulnerability
https://nvd.nist.gov/vuln/detail/CVE-2024-43451

Categories

CWE-73 : External Control of File Name or Path
The product allows user input to control or influence paths or file names that are used in filesystem operations. When the set of filenames is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames, and reject all other inputs. For example, ID 1 could map to "inbox.txt" and ID 2 could map to "profile.txt". Features such as the ESAPI AccessReferenceMap provide this capability. For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server. Use a built-in path canonicalization function (such as realpath() in C) that produces the canonical version of the pathname, which effectively removes ".." sequences and symbolic links (CWE-23, CWE-59). Use OS-level permissions and run as a low-privileged user to limit the scope of any successful attack. If you are using PHP, configure your application so that it does not use register_globals. During implementation, develop your application so that it does not rely on this feature, but be wary of implementing a register_globals emulation that is subject to weaknesses such as CWE-95, CWE-621, and similar issues. Use tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules. Chain: a learning management tool debugger uses external input to locate previous session logs (CWE-73) and does not properly validate the given path (CWE-20), allowing for filesystem path traversal using "../" sequences (CWE-24) Chain: external control of values for user's desired language and theme enables path traversal. Chain: external control of user's target language enables remote file inclusion.

CWE-NVD-noinfo

References

secure@microsoft.com Patch


 

CPE

cpe start end
Configuration 1
cpe:2.3:o:microsoft:windows_10_1507:*:*:*:*:*:*:x64:* < 10.0.10240.20826
cpe:2.3:o:microsoft:windows_10_1507:*:*:*:*:*:*:x86:* < 10.0.10240.20826
cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:x64:* < 10.0.14393.7515
cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:x86:* < 10.0.14393.7515
cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x64:* < 10.0.17763.6532
cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x86:* < 10.0.17763.6532
cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:arm64:* < 10.0.19044.5131
cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:x64:* < 10.0.19044.5131
cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:x86:* < 10.0.19044.5131
cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:arm64:* < 10.0.19045.5131
cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:x64:* < 10.0.19045.5131
cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:x86:* < 10.0.19045.5131
cpe:2.3:o:microsoft:windows_11_22h2:*:*:*:*:*:*:arm64:* < 10.0.22621.4460
cpe:2.3:o:microsoft:windows_11_22h2:*:*:*:*:*:*:x64:* < 10.0.22621.4460
cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:arm64:* < 10.0.22631.4460
cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:x64:* < 10.0.22631.4460
cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:arm64:* < 10.0.26100.2314
cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:x64:* < 10.0.26100.2314
cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:x86:*
cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:* < 10.0.14393.7515
cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:* < 10.0.17763.6532
cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:* < 10.0.20348.2849
cpe:2.3:o:microsoft:windows_server_2022_23h2:*:*:*:*:*:*:*:* < 10.0.25398.1251
cpe:2.3:o:microsoft:windows_server_2025:*:*:*:*:*:*:*:* < 10.0.26100.2314


REMEDIATION


Patch

Url
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43451


EXPLOITS


Exploit-db.com

id description date
No known exploits

POC Github

Url
No known exploits

Other Nist (github, ...)

Url
No known exploits


CAPEC


Common Attack Pattern Enumerations and Classifications

id description severity
13 Subverting Environment Variable Values
Very High
267 Leverage Alternate Encoding
High
64 Using Slashes and URL Encoding Combined to Bypass Validation Logic
High
72 URL Encoding
High
76 Manipulating Web Input to File System Calls
Very High
78 Using Escaped Slashes in Alternate Encoding
High
79 Using Slashes in Alternate Encoding
High
80 Using UTF-8 Encoding to Bypass Validation Logic
High


MITRE


Techniques

id description
T1027 Obfuscated Files or Information
T1562.003 Impair Defenses:Impair Command History Logging
T1574.006 Hijack Execution Flow:Dynamic Linker Hijacking
T1574.007 Hijack Execution Flow:Path Interception by PATH Environment Variable
© 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

Mitigations

id description
T1027 Ensure that a finite amount of ingress points to a software deployment system exist with restricted access for those required to allow and enable newly deployed software.
T1562.003 Make sure that the <code>HISTCONTROL</code> environment variable is set to “ignoredups” instead of “ignoreboth” or “ignorespace”.
T1574.006 When System Integrity Protection (SIP) is enabled in macOS, the aforementioned environment variables are ignored when executing protected binaries. Third-party applications can also leverage Apple’s Hardened Runtime, ensuring these environment variables are subject to imposed restrictions. Admins can add restrictions to applications by setting the setuid and/or setgid bits, use entitlements, or have a __RESTRICT segment in the Mach-O binary.
T1574.007 Ensure that proper permissions and directory access control are set to deny users the ability to write files to the top-level directory <code>C:</code> and system directories, such as <code>C:Windows</code>, to reduce places where malicious files could be placed for execution. Require that all executables be placed in write-protected directories.
© 2022 The MITRE Corporation. Esta obra se reproduce y distribuye con el permiso de The MITRE Corporation.