CVE-2024-4030 Overview
CVE-2024-4030 is an Insecure Permissions vulnerability affecting Python's tempfile.mkdtemp() function on Windows systems. The vulnerability occurs when directories created by this function do not receive restrictive permissions, instead inheriting permissions from the default location. This can allow other users on the same system to read and write to temporary directories that should be private to the creating user.
The issue specifically impacts Windows environments where users have alternate configurations or lack a profile directory. On other platforms (Linux, macOS), the returned directory is consistently readable and writable only by the current user, making non-Windows systems unaffected.
Critical Impact
Local attackers can read or modify sensitive data stored in temporary directories created by Python applications, potentially leading to information disclosure or data tampering.
Affected Products
- Python for Windows (various versions)
- Applications using tempfile.mkdtemp() on Windows with non-default temporary directory configurations
- Windows systems where users do not have a profile directory
Discovery Timeline
- May 7, 2024 - CVE-2024-4030 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2024-4030
Vulnerability Analysis
This vulnerability stems from Python's inability to properly enforce Unix-style permissions on Windows systems. When tempfile.mkdtemp() creates a temporary directory, it should ensure the directory is accessible only by the current user (equivalent to Unix permission mode 700). However, on Windows, the created directory inherits permissions from its parent directory rather than applying restrictive permissions.
The impact is significant for applications that store sensitive data in temporary directories, assuming those directories are private. In multi-user Windows environments, other authenticated users could potentially access, modify, or delete files in these supposedly private temporary directories. This could lead to information disclosure of sensitive application data or integrity violations if an attacker modifies temporary files used by the application.
Root Cause
The root cause is Python's lack of support for applying Unix-style permissions on Windows. The mkdir function underlying tempfile.mkdtemp() did not translate Unix permission mode 700 (owner read/write/execute only) into equivalent Windows Access Control Lists (ACLs). As a result, newly created temporary directories inherited their parent directory's permissions rather than being restricted to the creating user.
Attack Vector
The attack requires local access to the target Windows system. An authenticated attacker sharing the same system could enumerate temporary directories created by other users and access their contents. The attack is particularly effective in shared computing environments, terminal servers, or systems where multiple users have interactive access.
The attacker could monitor the default temporary directory location (typically %TEMP% or C:\Windows\Temp) for new directories created by target applications. Without proper permission restrictions, the attacker can read sensitive data, modify files to inject malicious content, or delete files to cause denial of service.
Detection Methods for CVE-2024-4030
Indicators of Compromise
- Unexpected access to temporary directories by users other than the directory creator
- File system audit logs showing cross-user access to directories within temporary paths
- Modification timestamps on temporary files that don't correspond to the owning application's activity
- Unusual file permissions on directories created by tempfile.mkdtemp() showing inherited rather than restrictive ACLs
Detection Strategies
- Enable Windows Security Auditing for object access on temporary directories to log unauthorized access attempts
- Implement file integrity monitoring on critical temporary directory paths used by sensitive applications
- Use PowerShell or security tools to periodically scan temporary directories for overly permissive ACLs
- Monitor for Python applications using vulnerable versions by tracking installed Python versions across the environment
Monitoring Recommendations
- Configure SentinelOne to detect and alert on cross-user file access patterns in temporary directories
- Establish baseline behavior for temporary directory creation and access patterns
- Deploy endpoint detection rules that identify permission inheritance issues on newly created directories
- Integrate Python version inventory with vulnerability management workflows to identify affected systems
How to Mitigate CVE-2024-4030
Immediate Actions Required
- Upgrade Python to a patched version that includes the fix for Unix permission support in mkdir on Windows
- Audit applications using tempfile.mkdtemp() to identify potential exposure
- Configure custom temporary directory locations with restricted parent directory permissions as a defense-in-depth measure
- Review Windows ACLs on existing temporary directories created by Python applications
Patch Information
The Python development team has released multiple patches addressing this vulnerability across different Python branches. The fix adds support for Unix "700" permissions in the mkdir function on Windows, ensuring tempfile.mkdtemp() creates directories with proper restrictive permissions.
Key patches are available through the GitHub Issue #118486 tracking this vulnerability. Additional details can be found in the Python Security Announcement. NetApp has also published guidance in their Security Advisory NTAP-20240705-0005.
Workarounds
- Manually set restrictive ACLs on temporary directories after creation using Windows APIs or PowerShell
- Use alternative temporary directory creation methods that explicitly set Windows security descriptors
- Configure a dedicated temporary directory location with pre-set restrictive permissions for sensitive applications
- Consider using platform-specific code paths that leverage Windows security APIs directly for security-critical temporary file operations
# PowerShell: Check and fix permissions on temporary directories
# Audit existing Python temp directories for permission issues
Get-ChildItem -Path $env:TEMP -Directory | ForEach-Object {
$acl = Get-Acl $_.FullName
Write-Output "Directory: $($_.FullName)"
$acl.Access | Format-Table IdentityReference, FileSystemRights, AccessControlType
}
# Set restrictive permissions on a specific directory
$path = "C:\Users\YourUser\AppData\Local\Temp\your_temp_dir"
$acl = Get-Acl $path
$acl.SetAccessRuleProtection($true, $false)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(
[System.Security.Principal.WindowsIdentity]::GetCurrent().Name,
"FullControl",
"ContainerInherit,ObjectInherit",
"None",
"Allow"
)
$acl.SetAccessRule($rule)
Set-Acl -Path $path -AclObject $acl
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
