OpenSSL Default Installation Paths Vulnerability (CVE-2019-1552) (Windows)

Technical Details

Severity Level:

Low Severity

CVSS Score:

1.9

CVSS Base Vector:
AV:L/AC:M/Au:N/C:N/I:P/A:N

Detection Type:
Remote Banner Unreliable

Solution Type:
Vendor Patch

Summary:
OpenSSL on Windows is prone to an insecure path defaults vulnerability.

Technical Details:
OpenSSL has internal defaults for a directory tree where it can find a configuration file as well as certificates used for verification in TLS. This directory is most commonly referred to as OPENSSLDIR, and is configurable with the --prefix / --openssldir configuration options. For OpenSSL versions 1.1.0 and 1.1.1, the mingw configuration targets assume that resulting programs and libraries are installed in a Unix-like environment and the default prefix for program installation as well as for OPENSSLDIR should be '/usr/local'. However, mingw programs are Windows programs, and as such, find themselves looking at sub-directories of 'C:/usr/local', which may be world writable, which enables untrusted users to modify OpenSSL's default configuration, insert CA certificates, modify (or even replace) existing engine modules, etc. For OpenSSL 1.0.2, '/usr/local/ssl' is used as default for OPENSSLDIR on all Unix and Windows targets, including Visual C builds. However, some build instructions for the diverse Windows targets on 1.0.2 encourage you to specify your own --prefix.

Affected Versions:
OpenSSL versions 1.0.2 through 1.0.2s, 1.1.0 through 1.1.0k and 1.1.1 through 1.1.1c on Windows.

Recommendations:
Apply the provided patches or update to a newer version.

Family:

General

Creation Time:

2019-08-14 06:03:58

Modification Time:

2019-08-14 09:16:05

Find and Fix this Vulnerability:

Mageni can help you to find out if you have this or more vulnerabilities exposing you to hackers, ransomware and malware: Download Mageni's Free Edition

NVD CVE ID:
CVE-2019-1552

Don't pay for a vulnerability scanning and management platform. This one is free.

Mageni provides a free vulnerability scanning and management platform which helps you need to find, prioritize, remediate and manage your vulnerabilities.