CVE-2024-29417 is an insecure permissions vulnerability found in e-trust Horacius versions 1.0, 1.1, and 1.2. The flaw resides in the password reset functionality, which improperly controls access permissions, allowing a local attacker to escalate privileges without authentication or user interaction. This vulnerability is categorized under CWE-277, indicating improper access control mechanisms. The CVSS v3.1 score is 8.4, reflecting high severity due to the vulnerability's impact on confidentiality, integrity, and availability. The attack vector is local (AV:L), with low attack complexity (AC:L), no privileges required (PR:N), and no user interaction needed (UI:N). Exploiting this vulnerability can lead to full system compromise by elevating privileges from a local user to administrative levels. Although no public exploits have been reported, the vulnerability poses a significant risk to any organization deploying affected versions of e-trust Horacius, especially in environments where local user access is possible. The lack of available patches at the time of publication necessitates immediate mitigation efforts to reduce exposure.

The vulnerability allows an attacker with local access to escalate privileges, potentially gaining administrative control over the affected system. This can lead to unauthorized access to sensitive data, modification or deletion of critical information, and disruption of system availability. Organizations relying on e-trust Horacius for security or operational functions may face severe consequences including data breaches, operational downtime, and loss of trust. The high CVSS score indicates that the vulnerability affects all three security pillars: confidentiality, integrity, and availability. The ease of exploitation without authentication or user interaction increases the risk, especially in environments where multiple users have local access. This could facilitate lateral movement within networks and further compromise of connected systems.

1. Restrict local access to systems running e-trust Horacius to trusted personnel only, minimizing the attack surface. 2. Conduct a thorough audit of file and directory permissions related to the password reset functionality to ensure they follow the principle of least privilege. 3. Implement monitoring and alerting for unusual local activities, especially attempts to access or modify password reset components. 4. If possible, disable or restrict the password reset function until a patch or official fix is available. 5. Apply network segmentation to isolate critical systems running e-trust Horacius from less trusted user groups. 6. Educate local users about the risks of privilege escalation and enforce strict user account management policies. 7. Stay updated with vendor advisories and apply patches immediately once released. 8. Consider deploying endpoint detection and response (EDR) solutions to detect and respond to suspicious privilege escalation attempts.