CVE-2022-28225
📋 TL;DR
This vulnerability allows a local attacker with low privileges to execute arbitrary code with SYSTEM privileges by manipulating symbolic links during Yandex Browser updates on Windows. It affects Yandex Browser users on Windows systems. Attackers need local access to the target system to exploit this.
💻 Affected Systems
- Yandex Browser
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with SYSTEM privileges, allowing installation of persistent malware, credential theft, and full control over the Windows system.
Likely Case
Local privilege escalation leading to malware installation, data exfiltration, or lateral movement within the network from a compromised user account.
If Mitigated
Limited impact if proper access controls prevent local attackers from accessing the system or if the browser is kept updated.
🎯 Exploit Status
Requires local access and knowledge of symbolic link manipulation techniques. The update process must be triggered.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 22.3.3.684 and later
Vendor Advisory: https://yandex.com/bugbounty/i/hall-of-fame-browser/
Restart Required: Yes
Instructions:
1. Open Yandex Browser. 2. Click the menu button (three horizontal lines). 3. Select 'About Yandex Browser'. 4. The browser will automatically check for updates and install version 22.3.3.684 or higher. 5. Restart the browser when prompted.
🔧 Temporary Workarounds
Disable automatic updates
windowsPrevents the vulnerable update process from being triggered, but leaves system unpatched against other vulnerabilities.
Not recommended as it prevents security updates
Restrict local access
windowsImplement strict access controls to prevent unauthorized local users from accessing systems with Yandex Browser installed.
🧯 If You Can't Patch
- Remove Yandex Browser from affected systems and use alternative browsers
- Implement application whitelisting to prevent execution of unauthorized binaries during update process
🔍 How to Verify
Check if Vulnerable:
Check Yandex Browser version: Open browser > Menu > About Yandex Browser. If version is below 22.3.3.684, system is vulnerable.Check Version:
Start Yandex Browser and navigate to yandex://help/ or check Menu > About Yandex BrowserVerify Fix Applied:
Confirm browser version is 22.3.3.684 or higher in About Yandex Browser page.📡 Detection & Monitoring
Log Indicators:
- Unusual file operations in Yandex Browser installation directory
- Symbolic link creation in browser update paths
- Process execution with SYSTEM privileges from browser update process
Network Indicators:
- Unusual outbound connections after browser update process
SIEM Query:
Process creation where parent_process_name contains 'yandex' and process_name has unexpected SYSTEM privilege escalation