OS Command Injection in sebhildebrandt systeminformation

1) OS Command Injection

EUVDB-ID: #VU111870

Risk: Medium

CVSSv4.0: 4 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-56334

CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Exploit availability: No

Description

The vulnerability allows a local user to execute arbitrary shell commands on the target system.

The vulnerability exists due to some versions of SSIDs are not sanitized when before they are passed as a parameter to cmd.exe in the `getWindowsIEEE8021x` function. A local user can perform remote code execution or local privilege escalation

Mitigation

Install update from vendor's website.

Vulnerable software versions

systeminformation: 3.42.5 - 5.23.6

CPE2.3

• cpe:2.3:a:sebastian_hildebrandt:systeminformation:3.42.5:*:*:*:*:*:*:*
• cpe:2.3:a:sebastian_hildebrandt:systeminformation:3.42.6:*:*:*:*:*:*:*
• cpe:2.3:a:sebastian_hildebrandt:systeminformation:3.42.7:*:*:*:*:*:*:*
• cpe:2.3:a:sebastian_hildebrandt:systeminformation:*:*:*:*:*:*:*:*
• cpe:2.3:a:sebastian_hildebrandt:systeminformation:3.48.2:*:*:*:*:*:*:*
• cpe:2.3:a:sebastian_hildebrandt:systeminformation:3.48.3:*:*:*:*:*:*:*
• cpe:2.3:a:sebastian_hildebrandt:systeminformation:3.48.4:*:*:*:*:*:*:*
• cpe:2.3:a:sebastian_hildebrandt:systeminformation:3.49.0:*:*:*:*:*:*:*

External links

https://github.com/sebhildebrandt/systeminformation/commit/f7af0a67b78e7894335a6cad510566a25e06ae41
https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-cvv5-9h9w-qp2m
https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-cvv5-9h9w-qp2m

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.