CVE-2022-4149 : The Netskope client service (prior to R96) on Windows runs as NT AUTHORITY\SYSTE

The Netskope client service (prior to R96) on Windows runs as NT AUTHORITY\SYSTEM which writes log files to a writable directory (C:\Users\Public\netSkope) for a standard user. The files are created and written with a SYSTEM account except one file (logplaceholder) which inherits permission giving all users full access control list. Netskope client restricts access to this file by allowing only read permissions as a standard user. Whenever the Netskope client service restarts, it deletes the logplaceholder and recreates, creating a race condition, which can be exploited by a malicious local user to create the file and set ACL permissions on the file. Once the file is created by a malicious user with proper ACL permissions, all files within C:\Users\Public\netSkope\ becomes modifiable by the unprivileged user. By using Windows pseudo-symlink, these files can be pointed to other places in the system and thus malicious users will be able to elevate privileges.

Published 2023-06-15 07:15:09

Updated 2023-06-30 00:08:32

Source Netskope

View at NVD, CVE.org

Products affected by CVE-2022-4149

Netskope » Netskope
Versions before (<) 100
cpe:2.3:a:netskope:netskope:*:*:*:*:*:*:*:*
Matching versions
When used together with: Microsoft » Windows » Version: N/A

Exploit prediction scoring system (EPSS) score for CVE-2022-4149

EPSS FAQ

0.04%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 7 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-4149

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
7.0	HIGH	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H	1.0	5.9	NIST
Attack Vector: Local Attack Complexity: High Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
7.0	HIGH	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H	1.0	5.9	Netskope
Attack Vector: Local Attack Complexity: High Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2022-4149

CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition

The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. This can cause the product to perform invalid actions when the resource is in an unexpected state.
Assigned by:
- nvd@nist.gov (Primary)
- psirt@netskope.com (Secondary)

References for CVE-2022-4149

https://www.netskope.com/company/security-compliance-and-assurance/security-advisories-and-disclosures/netskope-security-advisory-nskpsa-2023-002

NSKPSA-2023-002 - Netskope
Vendor Advisory

Jump to

Vulnerability Details : CVE-2022-4149

Products affected by CVE-2022-4149

Exploit prediction scoring system (EPSS) score for CVE-2022-4149

CVSS scores for CVE-2022-4149

CWE ids for CVE-2022-4149

References for CVE-2022-4149