Incorrect default permissions in OpenSSL - CVE-2019-1552

 

Incorrect default permissions in OpenSSL - CVE-2019-1552

Published: July 30, 2019


Vulnerability identifier: #VU19563
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2019-1552
CWE-ID: CWE-276
Exploitation vector: Local access
Exploit availability: No public exploit available
Vendor: OpenSSL Software Foundation
Affected software:
OpenSSL

Detailed vulnerability description

The vulnerability allows a local user to bypass security restrictions.

The vulnerability exists due to OpenSSL uses insecure by default directory with potentially insecure permissions for the OPENSSLDIR on Windows. A local user can modify OpenSSL's default configuration within the 'C:/usr/local' folder, insert CA certificates, modify (or even replace) existing engine modules and bypass security restrictions, based on OpenSSL security mechanisms. 


How to mitigate CVE-2019-1552

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

As a mitigation, before official software release, it is recommended to use these commits:

- For 1.1.1, commit 54aa9d51b09d67e90db443f682cface795f5af9e
- For 1.1.0, commit e32bc855a81a2d48d215c506bdeb4f598045f7e9 and
  b15a19c148384e73338aa7c5b12652138e35ed28
- For 1.0.2, commit d333ebaf9c77332754a9d5e111e2f53e1de54fdd

Sources