CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS
Percentile
60.9%
Tychon contains a privilege escalation vulnerability due to the use of an OPENSSLDIR
variable that specifies a location where an unprivileged Windows user may be able to place files.
Tychon includes an OpenSSL component that specifies an OPENSSLDIR
variable as a subdirectory that my be controllable by an unprivileged user on Windows. Tychon contains a privileged service that uses this OpenSSL component. A user who can place a specially-crafted openssl.cnf
file at an appropriate path may be able to achieve arbitrary code execution with SYSTEM privileges.
By placing a specially-crafted openssl.cnf
in a location used by Tychon, an unprivileged user may be able to execute arbitrary code with SYSTEM privileges on a Windows system with the vulnerable Tychon software installed.
This issue is addressed in Tychon 1.7.857.82
This document was written by Will Dormann.
730007
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Notified: 2022-03-10 Updated: 2022-04-28
Statement Date: April 27, 2022
CVE-2022-26872 | Affected |
---|
CVE-2022-26872 has been resolved with an update to the OpenSSL library TYCHON uses. The TYCHON Endpoint version 1.7.857.82 contains the fix to this vulnerability.
CVE IDs: | CVE-2022-26872 |
---|---|
Date Public: | 2022-04-28 Date First Published: |