CVE-2022-26526 – This vulnerability allows local users to escala... (How to Fix)

Q: What is the severity of CVE-2022-26526?

CVE-2022-26526 has a CVSS score of 7.8 (HIGH). This vulnerability allows local users to escalate privileges by placing malicious executable files in a world-writable directory that gets added to the system PATH during Anaconda/Miniconda installation. It affects users who performed non-default installations for 'all users' with PATH modification enabled.

📋 TL;DR

This vulnerability allows local users to escalate privileges by placing malicious executable files in a world-writable directory that gets added to the system PATH during Anaconda/Miniconda installation. It affects users who performed non-default installations for 'all users' with PATH modification enabled.

💻 Affected Systems

Products:

Anaconda3
Miniconda3

Versions: Anaconda3 through 2021.11.0.0, Miniconda3 through 4.11.0.0

Operating Systems: Windows

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when installer selects 'Install for all users' AND 'Add Anaconda to my PATH environment variable' options during non-default installation.

📦 What is this software?

Anaconda3 by Anaconda

View all CVEs affecting Anaconda3 →

Miniconda3 by Conda

View all CVEs affecting Miniconda3 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local attackers gain SYSTEM/root privileges by planting Trojan horse executables that get executed with elevated permissions.

🟠

Likely Case

Malicious local users or malware with user-level access escalate to administrative privileges on affected systems.

🟢

If Mitigated

No impact if installations use default settings or don't modify system PATH.

🌐 Internet-Facing: LOW - This is a local privilege escalation requiring existing access to the system.

🏢 Internal Only: HIGH - Significant risk in multi-user environments where local users could exploit this for privilege escalation.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires local user access and knowledge of the vulnerable directory location. Proof of concept details available in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Anaconda3 2022.05+, Miniconda3 4.12.0+

Vendor Advisory: https://github.com/continuumio/anaconda-issues/issues

Restart Required: No

Instructions:

1. Update to latest Anaconda3 (2022.05+) or Miniconda3 (4.12.0+). 2. Run installer with administrative privileges. 3. Remove old vulnerable directory from PATH if present.

🔧 Temporary Workarounds

Remove vulnerable directory from PATH

windows

Remove the world-writable Anaconda directory from system PATH environment variable

Remove C:\ProgramData\Anaconda3\Scripts or similar from system PATH via System Properties > Advanced > Environment Variables

Restrict directory permissions

windows

Change permissions on the vulnerable directory to prevent unauthorized writes

icacls "C:\ProgramData\Anaconda3\Scripts" /inheritance:r /grant:r "SYSTEM:(OI)(CI)F" "Administrators:(OI)(CI)F" "Users:(OI)(CI)RX"

🧯 If You Can't Patch

Remove the vulnerable Anaconda directory from system PATH environment variable
Set restrictive permissions on C:\ProgramData\Anaconda3\Scripts directory to prevent unauthorized writes

🔍 How to Verify

Check if Vulnerable:

Check if C:\ProgramData\Anaconda3\Scripts or similar directory exists and has world-writable permissions, and is in system PATH

Check Version:

conda --version

Verify Fix Applied:

Verify directory permissions are restricted and PATH no longer contains vulnerable directory after update

📡 Detection & Monitoring

Log Indicators:

Unexpected executable creation in Anaconda Scripts directory
Process execution from C:\ProgramData\Anaconda3\Scripts with elevated privileges

Network Indicators:

None - local privilege escalation only

SIEM Query:

Process creation where ImagePath contains 'ProgramData\\Anaconda3\\Scripts' AND IntegrityLevel >= High

📊 Metadata

CVE ID: CVE-2022-26526

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-732

Published: March 17, 2022

Last Updated: November 21, 2024

🔗 References

https://docs.conda.io/en/latest/miniconda.html Product,Vendor Advisory
https://github.com/continuumio/anaconda-issues/issues Issue Tracking,Third Party Advisory
https://improsec.com/tech-blog/privilege-escalation-vulnerability-in-anaconda3-and-miniconda3 Exploit,Third Party Advisory
https://repo.anaconda.com/miniconda/ Vendor Advisory
https://docs.conda.io/en/latest/miniconda.html Product,Vendor Advisory
https://github.com/continuumio/anaconda-issues/issues Issue Tracking,Third Party Advisory
https://improsec.com/tech-blog/privilege-escalation-vulnerability-in-anaconda3-and-miniconda3 Exploit,Third Party Advisory
https://repo.anaconda.com/miniconda/ Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-26526, you might also want to check these: