CVE-2022-25165 - OpenCVE

An issue was discovered in Amazon AWS VPN Client 2.0.0. A TOCTOU race condition exists during the validation of VPN configuration files. This allows parameters outside of the AWS VPN Client allow list to be injected into the configuration file prior to the AWS VPN Client service (running as SYSTEM) processing the file. Dangerous arguments can be injected by a low-level user such as log, which allows an arbitrary destination to be specified for writing log files. This leads to an arbitrary file write as SYSTEM with partial control over the files content. This can be abused to cause an elevation of privilege or denial of service.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Local

Access Complexity Medium

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:L/AC:M/Au:N/C:C/I:C/A:C

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Amazon	Aws Client Vpn

Configuration 1 [-]

cpe:2.3:a:amazon:aws_client_vpn:2.0.0:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/RhinoSecurityLabs/CVEs
https://rhinosecuritylabs.com/aws/cve-2022-25165-aws-vpn-client/

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2022-04-14T15:19:00

Updated: 2024-08-03T04:36:05.099Z

Reserved: 2022-02-15T00:00:00

Link: CVE-2022-25165

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-04-14T16:15:08.720

Modified: 2022-05-13T12:37:46.717

Link: CVE-2022-25165

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Amazon AWS VPN Client 2.0.0. A TOCTOU race condition exists during the validation of VPN configuration files. This allows parameters outside of the AWS VPN Client allow list to be injected into the configuration file prior to the AWS VPN Client service (running as SYSTEM) processing the file. Dangerous arguments can be injected by a low-level user such as log, which allows an arbitrary destination to be specified for writing log files. This leads to an arbitrary file write as SYSTEM with partial control over the files content. This can be abused to cause an elevation of privilege or denial of service."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-04-14T15:19:00", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/RhinoSecurityLabs/CVEs"}, {"tags": ["x_refsource_MISC"], "url": "https://rhinosecuritylabs.com/aws/cve-2022-25165-aws-vpn-client/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2022-25165", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An issue was discovered in Amazon AWS VPN Client 2.0.0. A TOCTOU race condition exists during the validation of VPN configuration files. This allows parameters outside of the AWS VPN Client allow list to be injected into the configuration file prior to the AWS VPN Client service (running as SYSTEM) processing the file. Dangerous arguments can be injected by a low-level user such as log, which allows an arbitrary destination to be specified for writing log files. This leads to an arbitrary file write as SYSTEM with partial control over the files content. This can be abused to cause an elevation of privilege or denial of service."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/RhinoSecurityLabs/CVEs", "refsource": "MISC", "url": "https://github.com/RhinoSecurityLabs/CVEs"}, {"name": "https://rhinosecuritylabs.com/aws/cve-2022-25165-aws-vpn-client/", "refsource": "MISC", "url": "https://rhinosecuritylabs.com/aws/cve-2022-25165-aws-vpn-client/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T04:36:05.099Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/RhinoSecurityLabs/CVEs"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://rhinosecuritylabs.com/aws/cve-2022-25165-aws-vpn-client/"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2022-25165", "datePublished": "2022-04-14T15:19:00", "dateReserved": "2022-02-15T00:00:00", "dateUpdated": "2024-08-03T04:36:05.099Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:amazon:aws_client_vpn:2.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "A46CB1FE-FD4D-46CE-9904-80F4B03AEE86", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in Amazon AWS VPN Client 2.0.0. A TOCTOU race condition exists during the validation of VPN configuration files. This allows parameters outside of the AWS VPN Client allow list to be injected into the configuration file prior to the AWS VPN Client service (running as SYSTEM) processing the file. Dangerous arguments can be injected by a low-level user such as log, which allows an arbitrary destination to be specified for writing log files. This leads to an arbitrary file write as SYSTEM with partial control over the files content. This can be abused to cause an elevation of privilege or denial of service."}, {"lang": "es", "value": "Se ha detectado un problema en Amazon AWS VPN Client versi\u00f3n 2.0.0. Se presenta una condici\u00f3n de carrera TOCTOU durante la comprobaci\u00f3n de los archivos de configuraci\u00f3n de la VPN. Esto permite que sean inyectados par\u00e1metros fuera de la lista de permisos del cliente AWS VPN en el archivo de configuraci\u00f3n antes de que el servicio del cliente AWS VPN (que ser\u00e1 ejecutado como SYSTEM) procese el archivo. Los argumentos peligrosos pueden ser inyectados por un usuario de bajo nivel como log, lo que permite especificar un destino arbitrario para escribir archivos de registro. Esto conlleva a una escritura arbitraria de archivos SYSTEM con control parcial sobre el contenido de los archivos. Esto puede ser abusado para causar una elevaci\u00f3n de privilegio o denegaci\u00f3n de servicio"}], "evaluatorComment": "At the time of analysis the advisory information and CVE List data did not consistently identify which data was applicable to CVE-2022-25166 and CVE-2022-25165. We have associated metadata based on what was published to the official CVE List.", "id": "CVE-2022-25165", "lastModified": "2022-05-13T12:37:46.717", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 6.9, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 3.4, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-04-14T16:15:08.720", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/RhinoSecurityLabs/CVEs"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://rhinosecuritylabs.com/aws/cve-2022-25165-aws-vpn-client/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-367"}], "source": "nvd@nist.gov", "type": "Primary"}]}