CVE-2024-0770 is a vulnerability identified in version 7.10.3 of the European Chemicals Agency's IUCLID software, specifically affecting the Windows executable iuclid6.exe within the Desktop Installer component. The vulnerability is classified under CWE-276, which pertains to incorrect default permissions. This means that certain files, directories, or resources within the IUCLID installation are assigned permissions that are too permissive by default, potentially allowing unauthorized local users to modify or interfere with the application or its data. The attack vector requires local access with at least limited privileges (PR:L), and no user interaction is necessary (UI:N). The vulnerability impacts the integrity and availability of the system, as unauthorized modifications could lead to altered application behavior or denial of service. The CVSS v3.1 base score is 4.4, indicating a medium severity level, with the vector string AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L. This score reflects that exploitation requires local access and low attack complexity, with no impact on confidentiality but partial impact on integrity and availability. The vendor was contacted early but did not respond, and no patches or known exploits in the wild have been reported at the time of disclosure. IUCLID is a critical tool used by chemical regulatory agencies and industry stakeholders for data management related to chemical substances, making the integrity of its installation important for regulatory compliance and safety data accuracy.

For European organizations, particularly those involved in chemical regulation, manufacturing, or compliance reporting, this vulnerability poses a risk to the integrity and availability of critical chemical data managed through IUCLID. Unauthorized local users with limited privileges could exploit the incorrect default permissions to modify installation files or configurations, potentially leading to corrupted data, altered chemical substance information, or disruption of regulatory submissions. This could result in compliance failures, regulatory penalties, or safety risks if inaccurate chemical data is propagated. Since IUCLID is widely used across European chemical agencies and companies to comply with EU regulations such as REACH, the impact could affect operational continuity and trustworthiness of chemical data management processes. However, the requirement for local access limits the threat to insiders or attackers who have already compromised a local account, reducing the risk of remote exploitation.

To mitigate this vulnerability, European organizations should: 1) Restrict local access to systems running IUCLID to trusted and authorized personnel only, enforcing strict user account controls and monitoring. 2) Review and manually audit the file and directory permissions of the IUCLID installation, correcting any overly permissive settings to adhere to the principle of least privilege. 3) Implement application whitelisting and integrity monitoring tools to detect unauthorized changes to IUCLID executables and configuration files. 4) Employ endpoint protection solutions that can detect and prevent privilege escalation attempts or unauthorized local modifications. 5) Maintain strict physical security controls on machines running IUCLID to prevent unauthorized local access. 6) Engage with the European Chemicals Agency or IUCLID maintainers for updates or patches, and apply them promptly once available. 7) Consider isolating IUCLID installations in controlled environments or virtual machines to limit exposure. These steps go beyond generic advice by focusing on local access control, permission auditing, and integrity monitoring specific to the IUCLID environment.