CVE-2024-36587 is a vulnerability identified in DNSCrypt-proxy versions from 2.0.0alpha9 up to 2.1.5, where insecure file permissions on the dnscrypt-proxy binary allow a non-privileged local attacker to overwrite this binary and escalate their privileges to root. DNSCrypt-proxy is a widely used tool designed to secure DNS traffic by encrypting DNS queries, enhancing privacy and security for end users. The vulnerability stems from improper permission settings (classified under CWE-266: Incorrect Privilege Assignment), which fail to restrict write access to the dnscrypt-proxy executable. This misconfiguration enables attackers who have local access to the system to replace or modify the binary, effectively gaining root-level control over the affected system. The CVSS v3.1 base score of 7.8 reflects a high severity rating, with attack vector being local (AV:L), low attack complexity (AC:L), requiring low privileges (PR:L), no user interaction (UI:N), and impacting confidentiality, integrity, and availability (C:H/I:H/A:H). Although no public exploits have been reported yet, the vulnerability presents a significant risk due to the potential for full system compromise. The lack of official patches at the time of publication necessitates immediate attention to mitigate risk. This vulnerability is particularly critical in environments where DNSCrypt-proxy is deployed on multi-user systems or servers where local user access is possible. Attackers exploiting this flaw can bypass security controls, manipulate DNS traffic, and potentially use the compromised system as a foothold for further network intrusion.

The impact of CVE-2024-36587 is substantial for organizations using affected versions of DNSCrypt-proxy. Successful exploitation results in full root privilege escalation, allowing attackers to gain complete control over the compromised system. This can lead to unauthorized access to sensitive data, manipulation or disruption of DNS traffic, installation of persistent malware, and lateral movement within the network. The confidentiality, integrity, and availability of the affected systems are all severely compromised. Organizations relying on DNSCrypt-proxy for DNS security and privacy may find their defenses undermined, potentially exposing internal network infrastructure and user data. The local attack vector limits exploitation to users with some level of system access, but in environments with multiple users or shared hosting, this risk is amplified. Additionally, compromised systems can be leveraged as launch points for broader attacks, increasing the overall threat to organizational cybersecurity posture.

To mitigate CVE-2024-36587, organizations should immediately audit and restrict file permissions on the dnscrypt-proxy binary to ensure only root or authorized administrators have write access. Specifically, the binary should have permissions set to 755 or more restrictive, and ownership should be assigned to root. Employ filesystem integrity monitoring tools to detect unauthorized changes to the dnscrypt-proxy executable. Limit local user access to trusted personnel and enforce the principle of least privilege to reduce the risk of local exploitation. Until official patches are released, consider deploying compensating controls such as mandatory access controls (e.g., SELinux or AppArmor) to restrict modification capabilities on critical binaries. Regularly update DNSCrypt-proxy to the latest stable versions once patches addressing this vulnerability become available. Additionally, monitor system logs for suspicious activity indicative of privilege escalation attempts. For environments where local access cannot be tightly controlled, consider alternative DNS encryption solutions with verified secure permission configurations.