Impact
If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables local escalation.
Patches
The bug was introduced when building and linking OpenSSL with compression, which is not used. The PR #6433 removes this compile and linking option for the dependency.
Workarounds
This bug has security impact when a system has a user-writable PATH. This is not default and can be considered by-itself a weakening of the system security. The general guidance is to restrict writability of PATH to administrators similarly-privileged accounts.
References
Please see the issue and discussion #6426
Impact
If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables local escalation.
Patches
The bug was introduced when building and linking OpenSSL with compression, which is not used. The PR #6433 removes this compile and linking option for the dependency.
Workarounds
This bug has security impact when a system has a user-writable PATH. This is not default and can be considered by-itself a weakening of the system security. The general guidance is to restrict writability of PATH to administrators similarly-privileged accounts.
References
Please see the issue and discussion #6426