CVE-2024-32487 is a command injection vulnerability found in the less pager utility, specifically in versions up to 653. The root cause lies in improper handling of quoting in the filename.c source file, which allows an attacker to inject OS commands via a newline character embedded in a filename. When less processes such a filename, it fails to properly sanitize or escape the input, leading to execution of arbitrary commands. Exploitation requires the attacker to control filenames, commonly achieved by providing malicious files within an untrusted archive that the victim opens using less. Additionally, the LESSOPEN environment variable must be set, which is often the case by default in many Linux distributions to enable preprocessing of files before viewing. The vulnerability is classified under CWE-96 (Improper Control of Filename for Include/Require Statement in PHP, but here it applies to command injection via filename handling). The CVSS v3.1 score is 8.6, indicating a high severity with attack vector local, low attack complexity, no privileges required, user interaction required, scope changed, and high impact on confidentiality, integrity, and availability. No patches have been linked yet, and no known exploits are reported in the wild, but the risk remains significant due to the ease of exploitation when conditions are met.

The vulnerability allows attackers to execute arbitrary OS commands with the privileges of the user running less, which can lead to full system compromise, data theft, or destruction. Since less is widely used on Unix-like systems for viewing files, including logs and archives, this vulnerability can be leveraged to escalate local access or execute code remotely if combined with other attack vectors (e.g., tricking users into opening malicious archives). The impact spans confidentiality (unauthorized data access), integrity (modification or deletion of files), and availability (disruption of services). Organizations that process untrusted archives or files using less are at risk, especially in environments where users have elevated privileges or where less is used in automated scripts. The lack of required privileges for exploitation and the common default setting of LESSOPEN increase the attack surface. Although no exploits are currently known in the wild, the vulnerability's characteristics suggest it could be weaponized quickly.

1. Avoid opening untrusted archives or files with less until a patch is available. 2. Disable or unset the LESSOPEN environment variable in environments where untrusted files may be viewed to prevent preprocessing that triggers the vulnerability. 3. Use alternative file viewers or pagers that do not have this vulnerability when handling untrusted content. 4. Monitor for updates from less maintainers and apply patches promptly once released. 5. Implement strict file validation and sanitization policies before processing archives or files with less. 6. Educate users about the risks of opening files from untrusted sources, especially archives that may contain malicious filenames. 7. Employ endpoint detection and response (EDR) tools to detect suspicious command execution patterns related to less usage. 8. Restrict user privileges to minimize the impact of potential exploitation.