Platform
other
Component
tgstation-server
Fixed in
4.0.1
CVE-2024-41799 is a remote code execution (RCE) vulnerability affecting tgstation-server, a BYOND server management tool. An attacker with low privileges can exploit this flaw to execute malicious .dme files, potentially gaining control of the server if the BYOND environment is configured with trusted security level. This vulnerability impacts versions 4.0.0 through 6.7.9 and has been resolved in version 6.8.0.
The primary impact of CVE-2024-41799 is the potential for remote code execution on the tgstation-server. An attacker, possessing only low privileges, can leverage the "Set .dme Path" privilege to specify malicious .dme files for compilation and execution. These files can be uploaded through tgstation-server or other means. The severity is significantly amplified if the server is configured to operate in BYOND's trusted security level, which requires either a third isolated privilege or is set by another user. Successful exploitation allows the attacker to execute arbitrary code via BYOND's shell() proc, effectively compromising the entire server. This could lead to data breaches, system takeover, and disruption of services.
CVE-2024-41799 was publicly disclosed on July 29, 2024. There is currently no indication of active exploitation in the wild, nor is it listed on CISA KEV. Public proof-of-concept exploits are not yet available, but the vulnerability's nature and potential impact suggest it could become a target for exploitation. The complexity of the exploit chain (requiring multiple privileges) may limit its immediate widespread adoption.
Exploit Status
EPSS
7.02% (91% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-41799 is to upgrade to version 6.8.0 or later of tgstation-server. If upgrading is not immediately feasible, consider restricting access to the "Set .dme Path" privilege to trusted users only. Additionally, carefully review and restrict the trusted security level configuration within BYOND. Ensure that the shell() proc is not enabled or is heavily sandboxed. Monitor server logs for suspicious .dme file modifications or unexpected process executions. After upgrading, confirm the fix by attempting to set a malicious .dme file path and verifying that the server does not compile or execute it.
Actualice tgstation-server a la versión 6.8.0 o superior. Esta versión corrige la vulnerabilidad que permite a usuarios con pocos permisos compilar y ejecutar archivos .dme maliciosos fuera del directorio de implementación. La actualización previene la posible escalada a ejecución remota de código.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-41799 is a remote code execution vulnerability in tgstation-server, allowing low-permission users to potentially execute malicious .dme files.
You are affected if you are running tgstation-server versions 4.0.0 through 6.7.9.
Upgrade to version 6.8.0 or later. If upgrading isn't possible, restrict access to the 'Set .dme Path' privilege and review BYOND security settings.
There is currently no indication of active exploitation, but the vulnerability's potential impact makes it a possible target.
Refer to the tgstation-server project's official communication channels for the latest advisory and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.