Privilege escalation in Nullsoft Scriptable Install System (NSIS)

1) Incorrect default permissions

EUVDB-ID: #VU79794

Risk: Low

CVSSv4.0: 1.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2023-37378

CWE-ID: CWE-276 - Incorrect Default Permissions

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to incorrect default permissions for an uninstaller directory. A local user with access to the system can view contents of files and directories or modify them.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Nullsoft Scriptable Install System (NSIS): 1.98 - 3.08

CPE2.3

• cpe:2.3:a:nullsoft:nsis:1.98:*:*:*:*:*:*:*
• cpe:2.3:a:nullsoft:nsis:2.0:*:*:*:*:*:*:*
• cpe:2.3:a:nullsoft:nsis:2.01:*:*:*:*:*:*:*

External links

https://github.com/kichik/nsis/commit/281e2851fe669d10e0650fc89d0e7fb74a598967
https://sourceforge.net/p/nsis/news/2023/07/nsis-309-released/
https://nsis.sourceforge.io/Docs/AppendixF.html#v3.09
https://github.com/kichik/nsis/commit/409b5841479c44fbf33a6ba97c1146e46f965467
https://github.com/kichik/nsis/commit/c40cf78994e74a1a3a381a850c996b251e3277c0
https://sf.net/p/nsis/bugs/1296
https://lists.debian.org/debian-lts-announce/2023/07/msg00005.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A65FBUMHLZ7GBV3VDKUB5EK3A7X2UUWK/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OZPAAU57IA3NP6UOUXNBUQBAYK3JB2IM/

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.