CVE-2022-32223 – Node.js on Windows is vulnerable to DLL hijacki... (How to Fix)

Q: What is the severity of CVE-2022-32223?

CVE-2022-32223 has a CVSS score of 7.3 (HIGH). Node.js on Windows is vulnerable to DLL hijacking when OpenSSL is installed with a specific configuration file path. This allows attackers to execute arbitrary code by placing a malicious providers.dll file in directories where Node.js searches. Only Windows users with OpenSSL installed in the default location are affected.

📋 TL;DR

Node.js on Windows is vulnerable to DLL hijacking when OpenSSL is installed with a specific configuration file path. This allows attackers to execute arbitrary code by placing a malicious providers.dll file in directories where Node.js searches. Only Windows users with OpenSSL installed in the default location are affected.

💻 Affected Systems

Products:

Node.js

Versions: All versions prior to 16.16.0, 18.5.0, and 14.20.0

Operating Systems: Windows

Default Config Vulnerable: ✅ No

Notes: Requires OpenSSL installed with 'C:\Program Files\Common Files\SSL\openssl.cnf' present. Not vulnerable on Linux/macOS.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining the same privileges as the Node.js process, potentially leading to data theft, ransomware deployment, or persistent backdoor installation.

🟠

Likely Case

Local privilege escalation or arbitrary code execution in the context of the Node.js application, allowing attackers to steal credentials, manipulate application data, or pivot to other systems.

🟢

If Mitigated

No impact if proper file permissions prevent DLL placement in vulnerable directories or if OpenSSL is not installed in the default location.

🌐 Internet-Facing: LOW - This requires local access or ability to place files on the target system, making remote exploitation unlikely without additional vulnerabilities.

🏢 Internal Only: MEDIUM - Internal attackers with access to place files in user directories could exploit this, particularly in shared or multi-user environments.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires ability to place DLL in specific directories, typically requiring some level of local access or file write permissions.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Node.js 16.16.0, 18.5.0, or 14.20.0

Vendor Advisory: https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/

Restart Required: Yes

Instructions:

1. Identify current Node.js version using 'node --version'. 2. Upgrade to Node.js 16.16.0, 18.5.0, or 14.20.0 or later. 3. Restart all Node.js applications and services.

🔧 Temporary Workarounds

Remove vulnerable OpenSSL configuration

windows

Delete or rename the openssl.cnf file at C:\Program Files\Common Files\SSL\openssl.cnf

del "C:\Program Files\Common Files\SSL\openssl.cnf"

Restrict DLL search paths

windows

Use Windows policies or application controls to restrict where Node.js can load DLLs from

🧯 If You Can't Patch

Implement strict file permissions on user directories and system paths to prevent DLL placement
Monitor for creation of providers.dll files in unusual locations using file integrity monitoring

🔍 How to Verify

Check if Vulnerable:

Check if openssl.cnf exists at C:\Program Files\Common Files\SSL\ and Node.js version is below 16.16.0, 18.5.0, or 14.20.0

Check Version:

node --version

Verify Fix Applied:

Verify Node.js version is 16.16.0, 18.5.0, 14.20.0 or higher using 'node --version'

📡 Detection & Monitoring

Log Indicators:

Failed DLL loading attempts from unusual paths
Process creation events showing Node.exe loading providers.dll

Network Indicators:

Unusual outbound connections from Node.js processes post-DLL load

SIEM Query:

Process Creation where Image contains 'node.exe' and CommandLine contains 'providers.dll' OR File Creation where TargetFilename contains 'providers.dll'

📊 Metadata

CVE ID: CVE-2022-32223

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-427

Published: July 14, 2022

Last Updated: November 21, 2024

🔗 References

https://hackerone.com/reports/1447455 Permissions Required
https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/ Patch,Vendor Advisory
https://security.netapp.com/advisory/ntap-20220915-0001/ Third Party Advisory
https://hackerone.com/reports/1447455 Permissions Required
https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/ Patch,Vendor Advisory
https://security.netapp.com/advisory/ntap-20220915-0001/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-32223, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Node.js by Nodejs

Node.js by Nodejs

Node.js by Nodejs

Node.js by Nodejs

Node.js by Nodejs

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Remove vulnerable OpenSSL configuration

Restrict DLL search paths

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities