7.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-24356

GHSA ID

GHSA-hgwp-4vp4-qmm2

EPSS Score

0.07686%

CWE

CWE-427

Published

5/24/2021

Updated

3/2/2023

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-24356

CVE-2020-24356: Local Privilege Escalation in cloudflared

In cloudflared versions < 2020.8.1 (corresponding to 0.0.0-20200820025921-9323844ea773 on pkg.go.dev) on Windows, if an administrator has started cloudflared and set it to read configuration files from a certain directory, an unprivileged user can exploit a misconfiguration in order to escalate privileges and execute system-level commands. The misconfiguration was due to the way that cloudflared reads its configuration file. One of the locations that cloudflared reads from (C:\etc) is not a secure by default directory due to the fact that Windows does not enforce access controls on this directory without further controls applied. A malformed config.yaml file can be written by any user. Upon reading this config, cloudflared would output an error message to a log file defined in the malformed config. The user-controlled log file location could be set to a specific location that Windows will execute when any user logs in.

(GitHub Advisory)

7.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-24356

GHSA ID

GHSA-hgwp-4vp4-qmm2

EPSS Score

0.07686%

CWE

CWE-427

Published

5/24/2021

Updated

3/2/2023

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/cloudflare/cloudflared	go	< 0.0.0-20200820025921-9323844ea773	0.0.0-20200820025921-9323844ea773

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from two key issues: 1) Inclusion of C:\etc\ in the configuration search path on Windows, which isn't secure by default (CWE-427). The commit message explicitly mentions stopping checks on /etc in Windows, indicating this was part of the vulnerable code. 2) Improper handling of log file paths from untrusted configurations, allowing path hijacking. The commit references 'log file protection' as a fix, confirming this was a vulnerable component. While exact function names aren't visible in the provided diff, the CWE mapping and patch context make these functional areas clear vectors.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In `*lou**l*r**` v*rsions < ****.*.* (*orr*spon*in* to *.*.*-**************-************ on pk*.*o.**v) on Win*ows, i* *n **ministr*tor **s st*rt** `*lou**l*r**` *n* s*t it to r*** *on*i*ur*tion *il*s *rom * **rt*in *ir**tory, *n unprivil**** us*r **

Reasoning

T** vuln*r**ility st*ms *rom two k*y issu*s: *) In*lusion o* `*:\*t*\` in t** *on*i*ur*tion s**r** p*t* on Win*ows, w*i** isn't s**ur* *y ****ult (*W*-***). T** *ommit m*ss*** *xpli*itly m*ntions stoppin* ****ks on `/*t*` in Win*ows, in*i**tin* t*is

7.8

Basic Information

Concerned about an active attack path?

CVE-2020-24356: Local Privilege Escalation in cloudflared

7.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI