{ "id": "CVE-2022-4149", "sourceIdentifier": "psirt@netskope.com", "published": "2023-06-15T07:15:08.710", "lastModified": "2023-06-15T07:15:08.710", "vulnStatus": "Received", "descriptions": [ { "lang": "en", "value": "The Netskope client service (prior to R96) on Windows runs as NT AUTHORITY\\SYSTEM which writes log files to a writable directory (C:\\Users\\Public\\netSkope) for a standard user. The files are created and written with a SYSTEM account except one file (logplaceholder) which inherits permission giving all users full access control list. Netskope client restricts access to this file by allowing only read permissions as a standard user. Whenever the Netskope client service restarts, it deletes the logplaceholder and recreates, creating a race condition, which can be exploited by a malicious local user to create the file and set ACL permissions on the file. Once the file is created by a malicious user with proper ACL permissions, all files within C:\\Users\\Public\\netSkope\\ becomes modifiable by the unprivileged user. By using Windows pseudo-symlink, these files can be pointed to other places in the system and thus malicious users will be able to elevate privileges.\n" } ], "metrics": { "cvssMetricV31": [ { "source": "psirt@netskope.com", "type": "Secondary", "cvssData": { "version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 7.0, "baseSeverity": "HIGH" }, "exploitabilityScore": 1.0, "impactScore": 5.9 } ] }, "weaknesses": [ { "source": "psirt@netskope.com", "type": "Secondary", "description": [ { "lang": "en", "value": "CWE-367" } ] } ], "references": [ { "url": "https://www.netskope.com/company/security-compliance-and-assurance/security-advisories-and-disclosures/netskope-security-advisory-nskpsa-2023-002", "source": "psirt@netskope.com" } ] }