Free and open-source vulnerability scanner
Mageni eases for you the vulnerability scanning, assessment, and management process. It is free and open-source.
Install NowAvailable for macOS, Windows, and Linux
OpenSSL Default Installation Paths Vulnerability (CVE-2019-1552) (Windows)
Information
Severity
Severity
Family
Family
CVSSv2 Base
CVSSv2 Base
CVSSv2 Vector
CVSSv2 Vector
Solution Type
Solution Type
Created
Created
Modified
Modified
Summary
OpenSSL on Windows is prone to an insecure path defaults vulnerability.
Insight
Insight
OpenSSL has internal defaults for a directory tree where it can find a configuration file as well as certificates used for verification in TLS. This directory is most commonly referred to as OPENSSLDIR, and is configurable with the --prefix / --openssldir configuration options. For OpenSSL versions 1.1.0 and 1.1.1, the mingw configuration targets assume that resulting programs and libraries are installed in a Unix-like environment and the default prefix for program installation as well as for OPENSSLDIR should be '/usr/local'. However, mingw programs are Windows programs, and as such, find themselves looking at sub-directories of 'C:/usr/local', which may be world writable, which enables untrusted users to modify OpenSSL's default configuration, insert CA certificates, modify (or even replace) existing engine modules, etc. For OpenSSL 1.0.2, '/usr/local/ssl' is used as default for OPENSSLDIR on all Unix and Windows targets, including Visual C builds. However, some build instructions for the diverse Windows targets on 1.0.2 encourage you to specify your own --prefix.
Affected Software
Affected Software
OpenSSL versions 1.0.2 through 1.0.2s, 1.1.0 through 1.1.0k and 1.1.1 through 1.1.1c on Windows.
Solution
Solution
Apply the provided patches or update to a newer version.
Common Vulnerabilities and Exposures (CVE)
References
- https://www.openssl.org/news/secadv/20190730.txt
- https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=54aa9d51b
- https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b15a19c14
- https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=d333ebaf9
- https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e32bc855a