CVE-2022-26488
📋 TL;DR
This CVE allows local Windows users to escalate privileges by hijacking the system search path. The Python installer on Windows can incorrectly add user-writable directories to PATH during repair operations, enabling attackers to execute malicious code with higher privileges. Affects Python installations where an administrator installed for all users with PATH modifications enabled.
💻 Affected Systems
- Python (CPython)
📦 What is this software?
Ontap Select Deploy Administration Utility by Netapp
View all CVEs affecting Ontap Select Deploy Administration Utility →
Python by Python
Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.
Learn more about Python →Python by Python
Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.
Learn more about Python →Python by Python
Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.
Learn more about Python →Python by Python
Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.
Learn more about Python →Python by Python
Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.
Learn more about Python →Python by Python
Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.
Learn more about Python →Python by Python
Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.
Learn more about Python →Python by Python
Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.
Learn more about Python →Python by Python
Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.
Learn more about Python →Python by Python
Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.
Learn more about Python →⚠️ Risk & Real-World Impact
Worst Case
Local privilege escalation to SYSTEM or administrator privileges, allowing complete system compromise, data theft, and persistence establishment.
Likely Case
Local privilege escalation to higher user privileges, enabling lateral movement, data access, and installation of malware.
If Mitigated
Limited to user-level impact with proper access controls and monitoring preventing privilege escalation.
🎯 Exploit Status
Exploitation requires local user access and ability to trigger Python installer repair. The vulnerability is well-documented in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Python 3.10.3, 3.9.11, 3.8.13, 3.7.13
Vendor Advisory: https://mail.python.org/archives/list/security-announce@python.org/thread/657Z4XULWZNIY5FRP3OWXHYKUSIH6DMN/
Restart Required: No
Instructions:
1. Download and install patched Python version from python.org. 2. Uninstall vulnerable Python versions. 3. Verify PATH environment variable doesn't contain user-writable directories.
🔧 Temporary Workarounds
Remove user-writable directories from PATH
windowsManually audit and remove any user-writable directories from the system PATH environment variable
echo %PATH%
setx PATH "modified_path_without_user_writable_dirs"
Restrict repair operations
windowsPrevent non-administrative users from running Python installer repair operations
icacls "C:\Program Files\Python*" /deny Users:(OI)(CI)R
🧯 If You Can't Patch
- Audit and remove user-writable directories from system PATH environment variable
- Implement strict access controls to prevent non-administrative users from modifying Python installation directories
🔍 How to Verify
Check if Vulnerable:
Check Python version with 'python --version' and verify if it's in affected range. Check if Python was installed for all users with PATH modifications.Check Version:
python --versionVerify Fix Applied:
Verify Python version is 3.10.3+, 3.9.11+, 3.8.13+, or 3.7.13+. Check PATH environment variable doesn't contain user-writable directories.📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs showing Python installer repair operations by non-administrative users
- Process creation events for python.exe from unexpected directories
Network Indicators:
- No network indicators - local privilege escalation
SIEM Query:
EventID=4688 AND (ProcessName="python.exe" OR CommandLine LIKE "%repair%") AND SubjectUserName NOT IN (admin_users_list)🔗 References
- https://mail.python.org/archives/list/security-announce%40python.org/thread/657Z4XULWZNIY5FRP3OWXHYKUSIH6DMN/
- https://security.netapp.com/advisory/ntap-20220419-0005/
- https://mail.python.org/archives/list/security-announce%40python.org/thread/657Z4XULWZNIY5FRP3OWXHYKUSIH6DMN/
- https://security.netapp.com/advisory/ntap-20220419-0005/
