CVE-2024-39755

Name of the Vulnerable Software and Affected Versions Veertu Anka Build version 1.42.0

Description A privilege escalation vulnerability exists in the node update functionality of Veertu Anka Build. The vulnerability occurs during Anka node agent update, allowing a low privilege user to trigger the issue. A specially crafted PKG file can lead to the execution of privileged operations. An attacker can make an unauthenticated HTTP request to trigger this vulnerability. The issue is due to a Time-of-Check-to-Time-of-Use (TOCTOU) attack, where the downloaded package can be replaced with a malicious one before installation.

Recommendations For Veertu Anka Build version 1.42.0, consider disabling the node update functionality until a patch is available to prevent exploitation. Restrict access to the Anka node agent update process to minimize the risk of privilege escalation. Avoid using specially crafted PKG files in the update process. At the moment, there is no information about a newer version that contains a fix for this vulnerability.