Note: this advisory has been edited to clarify that even though the consequences are different for single-user and all-user installations, the vulnerability has the same origin and requires the same fix.
Impact
The installation directory inherits permissions from its parent directory. Outside of restricted directories, the permissions are very permissive and often allow write access by authenticated users. For example, these are the permissions of an all-user installation of the installation directory during the installation process:
icacls C:\miniconda3
C:\miniconda3 BUILTIN\Administrators:(I)(OI)(CI)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
BUILTIN\Users:(I)(OI)(CI)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(IO)(M)
This means that any logged in user can make modifications during the installation for both single-user and all-user installations. This constitutes a local attack vector if the installation is in a directory local users have access to. For single-user installations in a shared directory, these permissions persist after the installation.
This is a similar vulnerability to CVE-2022-26526, which was mitigated by changing permissions for all-user installations after the installation is finished. However, the attack vector still remains open during the installation and for single-user installations in shared directories.
Patches
The permissions are changed right after $INSTDIR is created. Write access is restricted to SYSTEM, Administrators, and (for single-user installations) the installing user. This ensures that all files inherit the hardened permissions as they are extracted, and that these permissions persist after the installation is finished.
Workarounds
Users can change permissions manually after the installation to remove write access for AU and only grant write access to %USERNAME%. Inheritance should be disabled.
There is no workaround for the temporary attack vector during the installation.
References
N/A
Note: this advisory has been edited to clarify that even though the consequences are different for single-user and all-user installations, the vulnerability has the same origin and requires the same fix.
Impact
The installation directory inherits permissions from its parent directory. Outside of restricted directories, the permissions are very permissive and often allow write access by authenticated users. For example, these are the permissions of an all-user installation of the installation directory during the installation process:
This means that any logged in user can make modifications during the installation for both single-user and all-user installations. This constitutes a local attack vector if the installation is in a directory local users have access to. For single-user installations in a shared directory, these permissions persist after the installation.
This is a similar vulnerability to CVE-2022-26526, which was mitigated by changing permissions for all-user installations after the installation is finished. However, the attack vector still remains open during the installation and for single-user installations in shared directories.
Patches
The permissions are changed right after
$INSTDIRis created. Write access is restricted toSYSTEM, Administrators, and (for single-user installations) the installing user. This ensures that all files inherit the hardened permissions as they are extracted, and that these permissions persist after the installation is finished.Workarounds
Users can change permissions manually after the installation to remove write access for
AUand only grant write access to%USERNAME%. Inheritance should be disabled.There is no workaround for the temporary attack vector during the installation.
References
N/A