CVE-2022-24767 – This vulnerability allows attackers to perform ... (How to Fix)

Q: What is the severity of CVE-2022-24767?

CVE-2022-24767 has a CVSS score of 7.8 (HIGH). This vulnerability allows attackers to perform DLL hijacking when the Git for Windows uninstaller runs under the SYSTEM user account. Attackers could execute arbitrary code with SYSTEM privileges by placing a malicious DLL in a location the uninstaller searches. This primarily affects Windows systems where Git for Windows is installed and the uninstaller might be executed with elevated privileges.

📋 TL;DR

This vulnerability allows attackers to perform DLL hijacking when the Git for Windows uninstaller runs under the SYSTEM user account. Attackers could execute arbitrary code with SYSTEM privileges by placing a malicious DLL in a location the uninstaller searches. This primarily affects Windows systems where Git for Windows is installed and the uninstaller might be executed with elevated privileges.

💻 Affected Systems

Products:

Git for Windows

Versions: All versions prior to Git for Windows v2.35.2

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Only vulnerable when the uninstaller (unins000.exe) is executed under the SYSTEM user account, which typically requires administrative actions or specific configurations.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full SYSTEM-level compromise of the Windows machine, allowing complete control, data theft, and lateral movement across the network.

🟠

Likely Case

Local privilege escalation to SYSTEM account on affected Windows machines, enabling persistence and further exploitation.

🟢

If Mitigated

Limited impact if proper access controls prevent unauthorized users from placing files in writable directories or executing the uninstaller with SYSTEM privileges.

🌐 Internet-Facing: LOW - This is a local privilege escalation vulnerability requiring local access or existing foothold on the system.

🏢 Internal Only: MEDIUM - Internal attackers or malware with local access could exploit this for privilege escalation, but requires specific conditions (uninstaller execution as SYSTEM).

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires local access and ability to place malicious DLL in writable directory that the uninstaller searches. The vulnerability is well-documented and simple to exploit given the right conditions.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Git for Windows v2.35.2 and later

Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24767

Restart Required: No

Instructions:

1. Download Git for Windows v2.35.2 or later from https://gitforwindows.org/ 2. Run the installer to upgrade existing installation 3. No system restart required, but affected processes should be restarted

🔧 Temporary Workarounds

Restrict uninstaller execution

windows

Prevent execution of the Git for Windows uninstaller (unins000.exe) with SYSTEM privileges

File system permissions hardening

windows

Set restrictive permissions on directories where uninstaller searches for DLLs to prevent unauthorized file placement

🧯 If You Can't Patch

Monitor for execution of unins000.exe with SYSTEM privileges and investigate any occurrences
Implement application whitelisting to prevent execution of unins000.exe or restrict it to specific administrative contexts

🔍 How to Verify

Check if Vulnerable:

Check Git for Windows version: Open Git Bash and run 'git --version'. If version is earlier than 2.35.2, the system is vulnerable.

Check Version:

git --version

Verify Fix Applied:

After updating, run 'git --version' and confirm version is 2.35.2 or later. Also verify unins000.exe file properties show updated version.

📡 Detection & Monitoring

Log Indicators:

Windows Event Logs showing unins000.exe execution with SYSTEM privileges
Process creation events for unins000.exe with high integrity levels

Network Indicators:

No network indicators - this is a local privilege escalation vulnerability

SIEM Query:

ProcessName="unins000.exe" AND IntegrityLevel="System" OR User="NT AUTHORITY\SYSTEM"

📊 Metadata

CVE ID: CVE-2022-24767

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-427

Published: April 12, 2022

Last Updated: November 21, 2024

🔗 References

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24767 Patch,Vendor Advisory
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24767 Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-24767, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Git For Windows by Git For Windows Project

Visual Studio 2017 by Microsoft

Visual Studio 2019 by Microsoft

Visual Studio 2019 by Microsoft

Visual Studio 2019 by Microsoft

Visual Studio 2022 by Microsoft

Visual Studio 2022 by Microsoft

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict uninstaller execution

File system permissions hardening

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities