Conda-Forge OpenSSL Feedstock Privilege Escalation Vulnerability on Windows

A vulnerability allowing local privilege escalation has been identified in the Conda-Forge OpenSSL Feedstock, specifically in versions prior to 066e83c (2024-05-20) and Miniforge versions prior to 24.5.0. On Microsoft Windows, these versions configure OpenSSL to use an OPENSSLDIR file path that is writable by non-privileged local users. This misconfiguration allows a non-privileged user to place a specially crafted openssl.cnf file in the OPENSSLDIR, which can then be used to execute arbitrary code with the privileges of the user or process loading the OpenSSL DLLs.

Impact

Exploitation of this vulnerability could lead to unauthorized execution of code with elevated privileges, potentially allowing a non-privileged user to gain administrative rights or control over the system.

Reproduction

The vulnerability can be reproduced by creating an 'openssl.cnf' file with malicious content and placing it in the OPENSSLDIR directory, which is writable by non-privileged users. This can be done by exploiting the OPENSSLDIR path used in the vulnerable OpenSSL builds, such as by inserting an optical disk if the 'D:' drive is a CD/DVD-ROM drive.

Remediation

Users can upgrade to OpenSSL versions included in Conda-Forge OpenSSL Feedstock releases after 24.5.0 or Miniforge versions 24.5.0 and later, where this vulnerability has been addressed.