CVE-2024-32487 Overview
CVE-2024-32487 is a command injection vulnerability affecting the less file pager utility through version 653. The vulnerability allows OS command execution via a newline character embedded in a file name, caused by improper quoting in filename.c. Exploitation typically requires interaction with attacker-controlled file names, such as files extracted from an untrusted archive, and relies on the LESSOPEN environment variable being set—which is configured by default in many common Linux distributions.
Critical Impact
Attackers can achieve arbitrary OS command execution by crafting malicious file names containing newline characters, potentially leading to complete system compromise when users view files from untrusted sources such as archive files.
Affected Products
- Greenwoodsoftware less (through version 653)
- Debian Linux 10.0
- NetApp Bootstrap OS
- NetApp HCI Compute Node
- NetApp HCI Storage Nodes
- NetApp SolidFire
Discovery Timeline
- April 13, 2024 - CVE-2024-32487 published to NVD
- June 17, 2025 - Last updated in NVD database
Technical Details for CVE-2024-32487
Vulnerability Analysis
This vulnerability represents a classic command injection flaw stemming from improper handling of special characters in file names. When the less utility processes a file name containing newline characters (\n), the quoting mechanism in filename.c fails to properly sanitize the input before passing it to external commands via the LESSOPEN preprocessor feature.
The LESSOPEN environment variable allows less to invoke an input preprocessor program before displaying file contents. This is commonly used to enable viewing of compressed files, archives, or other special file formats. When a malicious file name containing newline characters is passed to this preprocessor pipeline, the inadequate quoting allows the attacker to break out of the intended command context and inject arbitrary shell commands.
Root Cause
The root cause lies in improper quoting and input sanitization within the filename.c source file. When constructing shell commands that include file names, the code fails to properly escape or handle newline characters. Since shell interpreters treat newlines as command separators, an attacker-controlled newline in a file name effectively allows injection of additional commands into the shell execution context.
Attack Vector
This is a local attack vector that requires user interaction. The typical exploitation scenario involves:
- An attacker creates a file with a specially crafted name containing newline characters followed by malicious commands
- The malicious file is distributed within an archive (tar, zip, etc.) or shared via other means
- A victim extracts the archive and uses less to view the malicious file or files in the same directory
- When less invokes the LESSOPEN preprocessor with the malicious file name, the injected commands execute with the victim's privileges
The attack is facilitated by the fact that LESSOPEN is set by default in many Linux distributions to enable convenient viewing of compressed files and other special formats. Users who extract untrusted archives and view files with less are at risk.
For detailed technical analysis of the vulnerability and the specific code changes, see the GitHub Commit Details and the Openwall OSS-Security Post.
Detection Methods for CVE-2024-32487
Indicators of Compromise
- File names containing newline characters (\n or %0a) in directories or extracted archives
- Unusual shell command execution spawned from less processes
- Archive files containing entries with special characters in file names
- Unexpected child processes spawned by the less binary
Detection Strategies
- Monitor process execution chains for shell commands spawned as children of less processes
- Implement file system monitoring to detect creation of files with unusual characters including newlines in their names
- Deploy endpoint detection rules to identify extraction of archives containing suspicious file names
- Audit LESSOPEN environment variable configurations across systems
Monitoring Recommendations
- Enable command-line auditing to capture full process execution trees
- Monitor for less processes executing unexpected binaries or scripts
- Implement archive content inspection for files with malformed or suspicious names before extraction
- Track modification of LESSOPEN and LESSCLOSE environment variables in user profiles
How to Mitigate CVE-2024-32487
Immediate Actions Required
- Update less to version 654 or later which contains the security fix
- Unset the LESSOPEN environment variable as a temporary workaround if patching is not immediately possible
- Avoid using less to view files from untrusted sources, especially extracted archives
- Implement security policies restricting archive extraction from untrusted sources
Patch Information
The vulnerability has been addressed in the upstream less repository. The fix involves proper quoting of file names to prevent newline injection attacks. Organizations should apply vendor-specific patches as they become available:
- Greenwoodsoftware less: Update to version 654 or apply commit 007521ac3c95bc76e3d59c6dbfe75d06c8075c33 from the official repository
- Debian Linux: See the Debian LTS Announcement for patched package versions
- NetApp Products: Refer to the NetApp Security Advisory for guidance on affected products
Workarounds
- Unset LESSOPEN by adding unset LESSOPEN to shell profiles or running it before using less
- Use alternative file viewers such as cat, more, or view that do not invoke preprocessors
- Implement archive inspection tools to check for malicious file names before extraction
- Configure file extraction tools to sanitize or reject file names containing special characters
# Disable LESSOPEN preprocessor as a temporary workaround
unset LESSOPEN
unset LESSCLOSE
# Add to ~/.bashrc or /etc/profile for persistent mitigation
echo 'unset LESSOPEN' >> ~/.bashrc
echo 'unset LESSCLOSE' >> ~/.bashrc
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
