CVE-2025-35471
📋 TL;DR
This vulnerability allows non-privileged local users on Windows systems to execute arbitrary code by writing a malicious openssl.cnf configuration file to a writable OPENSSLDIR path. The code executes with the privileges of any user or process loading the vulnerable openssl-feedstock DLLs. Affected systems include conda-forge openssl-feedstock before May 20, 2024 and Miniforge before version 24.5.0.
💻 Affected Systems
- conda-forge openssl-feedstock
- Miniforge
📦 What is this software?
Miniforge by Conda Forge
Openssl Feedstock by Conda Forge
⚠️ Risk & Real-World Impact
Worst Case
Local privilege escalation to SYSTEM or administrative privileges if a high-privilege process loads the malicious openssl.cnf file, leading to complete system compromise.
Likely Case
Local user gains code execution with the privileges of other users or services running on the same system, potentially accessing sensitive data or moving laterally.
If Mitigated
Limited impact if proper access controls prevent non-privileged users from writing to OPENSSLDIR or if vulnerable software isn't installed.
🎯 Exploit Status
Exploitation requires local user access and ability to write to the OPENSSLDIR path. The attacker must craft a malicious openssl.cnf file that will be loaded by a process using the vulnerable DLLs.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: openssl-feedstock commit 066e83c or later, Miniforge 24.5.0 or later
Vendor Advisory: https://github.com/conda-forge/openssl-feedstock/commit/066e83c5226bafe90a9c0575b077ce30cd5f5921
Restart Required: No
Instructions:
1. Update conda-forge openssl-feedstock to commit 066e83c or later. 2. Update Miniforge to version 24.5.0 or later. 3. Verify OPENSSLDIR path permissions are secure.
🔧 Temporary Workarounds
Restrict OPENSSLDIR permissions
windowsModify permissions on the OPENSSLDIR directory to prevent non-privileged users from writing files.
icacls "C:\path\to\OPENSSLDIR" /inheritance:r /grant:r "Administrators:(OI)(CI)F" /grant:r "SYSTEM:(OI)(CI)F"
Use alternative OpenSSL installation
windowsReplace vulnerable openssl-feedstock with official OpenSSL binaries or another secure distribution.
conda remove openssl-feedstock
Install OpenSSL from official sources
🧯 If You Can't Patch
- Implement strict access controls on OPENSSLDIR directory to prevent non-admin writes
- Monitor for unauthorized file creation in OPENSSLDIR paths and alert on suspicious activity
🔍 How to Verify
Check if Vulnerable:
Check if openssl-feedstock version is before commit 066e83c or Miniforge version is below 24.5.0 on Windows systems. Verify OPENSSLDIR path permissions allow non-privileged writes.Check Version:
conda list openssl-feedstock | findstr openssl-feedstockVerify Fix Applied:
Confirm openssl-feedstock is at commit 066e83c or later, or Miniforge is 24.5.0+. Verify OPENSSLDIR directory has proper restrictive permissions.📡 Detection & Monitoring
Log Indicators:
- File creation events in OPENSSLDIR directories by non-privileged users
- Process execution from OPENSSLDIR paths
- Unexpected openssl.cnf file modifications
Network Indicators:
- None - this is a local privilege escalation vulnerability
SIEM Query:
EventID=4663 OR EventID=4656 AND ObjectName LIKE '%OPENSSLDIR%' AND SubjectUserName NOT IN ('SYSTEM', 'Administrators')