CVE-2024-41799: 
C# vulnerability analysis and mitigation

CVE-2024-41799 affects tgstation-server, a production scale tool for BYOND server management. The vulnerability was discovered in versions prior to 6.8.0, where low permission users with the "Set .dme Path" privilege could potentially set malicious .dme files existing on the host machine to be compiled and executed (GitHub Advisory).

The vulnerability stems from insufficient path validation when setting .dme files. Users with low permissions could specify .dme files outside the deployment directory, which could then be compiled and executed. When combined with BYOND's trusted security level (requiring a separate privilege or being set by another user), this could lead to remote code execution via BYOND's shell() proc. The vulnerability has a CVSS v3.1 score of 8.4 HIGH with vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:H (GitHub Advisory).

The vulnerability allows attackers to execute malicious .dme files that exist on the host machine. In environments where BYOND's trusted security level is enabled, this can escalate to remote code execution through the shell() proc. While this type of attack typically requires multiple privileges with known weaknesses, this particular vector is more dangerous as it doesn't require control over deployment code source and may not need remote write access to an instance's Configuration directory (GitHub Advisory).

The vulnerability has been patched in version 6.8.0 and above. As a workaround, administrators should not give untrusted users the Deployment permission to set a .dme path on instances. The fix was implemented through pull request #1835 (GitHub Advisory).