CVE-2022-4149
📋 TL;DR
This vulnerability allows a local unprivileged Windows user to exploit a race condition in the Netskope client service to gain SYSTEM-level privileges. The flaw exists in how the service handles log file permissions during restarts, enabling privilege escalation through file manipulation. Affected users are those running Netskope client versions prior to R96 on Windows systems.
💻 Affected Systems
- Netskope Client
📦 What is this software?
Netskope by Netskope
⚠️ Risk & Real-World Impact
Worst Case
Local attacker gains full SYSTEM privileges, enabling complete system compromise, data theft, persistence mechanisms, and lateral movement.
Likely Case
Local user escalates privileges to SYSTEM level, allowing installation of malware, credential harvesting, and bypassing security controls.
If Mitigated
Attack requires local access and specific timing conditions; with proper monitoring, exploitation attempts could be detected before full compromise.
🎯 Exploit Status
Exploitation requires local user access and precise timing (race condition), but the technique is well-documented for similar Windows privilege escalation vulnerabilities.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: R96 and later
Vendor Advisory: https://www.netskope.com/company/security-compliance-and-assurance/security-advisories-and-disclosures/netskope-security-advisory-nskpsa-2023-002
Restart Required: Yes
Instructions:
1. Download Netskope client version R96 or later from official sources. 2. Install the updated client. 3. Restart the system to ensure the new service configuration takes effect.
🔧 Temporary Workarounds
Restrict directory permissions
windowsManually set restrictive permissions on the vulnerable directory to prevent exploitation
icacls "C:\Users\Public\netSkope" /inheritance:r
icacls "C:\Users\Public\netSkope" /grant SYSTEM:F
icacls "C:\Users\Public\netSkope" /deny Users:(OI)(CI)F
Disable Netskope client service
windowsTemporarily disable the vulnerable service if Netskope functionality is not critical
sc config nsclient start= disabled
sc stop nsclient
🧯 If You Can't Patch
- Implement strict access controls to limit local user access to vulnerable systems
- Enable detailed auditing on the C:\Users\Public\netSkope directory and monitor for suspicious file creation/modification events
🔍 How to Verify
Check if Vulnerable:
Check Netskope client version: Open Netskope client UI or check installed programs list. If version is earlier than R96, system is vulnerable.Check Version:
wmic product where "name like 'Netskope%'" get versionVerify Fix Applied:
Verify Netskope client version is R96 or later and check that directory permissions on C:\Users\Public\netSkope are properly restricted.📡 Detection & Monitoring
Log Indicators:
- Multiple rapid file creation/deletion events in C:\Users\Public\netSkope
- Unexpected service restarts of Netskope client
- Permission changes on files in the vulnerable directory
Network Indicators:
- No network indicators - this is a local privilege escalation
SIEM Query:
EventID=4663 AND ObjectName LIKE '%C:\Users\Public\netSkope%' AND Accesses='WriteData (or AddFile)'