CVE-2024-29187: 
vulnerability analysis and mitigation

WiX toolset, a framework for creating Windows Installer packages, contains an elevation of privilege vulnerability (CVE-2024-29187). When a bundle runs as SYSTEM user, Burn (a component of WiX) uses GetTempPathW which points to an insecure directory C:\Windows\Temp to drop and load multiple binaries. The vulnerability was discovered in March 2024 and affects versions prior to 3.14.1 and 4.0.5 (GitHub Advisory).

The vulnerability is classified with a CVSS v3.1 base score of 7.3 (High) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H. The issue stems from incorrect permission assignment for critical resources (CWE-732), specifically in the way Burn handles temporary file operations. When running with SYSTEM privileges, the application uses GetTempPathW to access C:\Windows\Temp, which has permissions that allow standard users certain access rights (GitHub Advisory).

If exploited, this vulnerability allows standard users to hijack binaries before they're loaded in the application, resulting in elevation of privileges to SYSTEM level. This could enable an attacker to gain unauthorized administrative access to the affected system (GitHub Advisory).

The vulnerability has been fixed in WiX toolset versions 3.14.1 and 4.0.5. The fix involves protecting the elevated working folder from malicious data by implementing proper access controls that restrict the folder to only SYSTEM and Administrator access (WiX Commit).