A critical vulnerability has been discovered in the popular npm package systeminformation, placing millions of Windows systems at risk by enabling remote code execution (RCE) and privilege escalation. Identified as CVE-2024-56334, this flaw underscores the paramount importance of secure coding practices, particularly when handling untrusted user input.
The vulnerability affects the getWindowsIEEE8021x function in systeminformation versions ≤5.23.6. The issue arises from inadequate input validation of Wi-Fi SSID fields, which are passed directly to the Windows command line (cmd.exe). This oversight allows malicious commands to be executed at the operating system level.
According to information from GitHub, the SSID data is processed via commands such as netsh wlan show interface and cmd.exe /d /s /c "netsh wlan show profiles" without proper sanitization. Attackers can craft malicious SSID names containing executable code to gain full control over the victim’s system.
A proof-of-concept demonstrates how an attacker could configure a Wi-Fi access point with an SSID embedding harmful commands like a" | ping /t 127.0.0.1 & or a" | %SystemDrive%\a\a.exe &. Any user connecting to such a network risks executing these malicious operations.
The vulnerability was uncovered by the researcher @xAiluros, who provided a detailed description and proof-of-concept. The potential consequences include remote code execution, unauthorized data access, and system disruptions. With a CVSS v3 base score of 7.8, the severity of this issue is undeniable.
To mitigate the risk, the package developer has released version 5.23.7, implementing robust input validation and sanitization. All developers utilizing this package are strongly urged to update their projects immediately to safeguard against potential attacks.
