CVE-2024-29188: 
C# vulnerability analysis and mitigation

WiX toolset, a software that lets developers create installers for Windows Installer, contains a vulnerability (CVE-2024-29188) in its RemoveFolderEx functionality that could allow a standard user to delete protected directories. The vulnerability was discovered and disclosed on March 24, 2024, and affects versions prior to 3.14.1 and 4.0.5. The issue has been assigned a CVSS v3.1 base score of 7.9 (HIGH) (GitHub Advisory).

The vulnerability exists in the custom action behind WiX's RemoveFolderEx functionality, which deletes an entire directory tree during installation or uninstallation. The process works by recursing every subdirectory starting at a specified directory and adding each subdirectory to the list of directories Windows Installer should delete. The vulnerability is tracked as CWE-59 (Improper Link Resolution Before File Access) and has a CVSS vector of CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:H (GitHub Advisory).

If a setup author instructs RemoveFolderEx to delete a per-user folder from a per-machine installer, an attacker could create a directory junction in that per-user folder pointing to a per-machine, protected directory. When Windows Installer executes the per-machine installer after administrator approval, it would delete the target of the directory junction, potentially removing protected system files (GitHub Advisory).

The vulnerability has been fixed in WiX toolset versions 3.14.1 and 4.0.5. The fix involves preventing the RemoveFolderEx functionality from following directory junctions when recursing directories (WiX Commit).