high
7
CWE
367 362
Advisory Published
Updated

CVE-2022-4149: Local privilege escalation using log file

First published: Thu Jun 15 2023(Updated: )

The Netskope client service (prior to R96) on Windows runs as NT AUTHORITY\SYSTEM which writes log files to a writable directory (C:\Users\Public\netSkope) for a standard user. The files are created and written with a SYSTEM account except one file (logplaceholder) which inherits permission giving all users full access control list. Netskope client restricts access to this file by allowing only read permissions as a standard user. Whenever the Netskope client service restarts, it deletes the logplaceholder and recreates, creating a race condition, which can be exploited by a malicious local user to create the file and set ACL permissions on the file. Once the file is created by a malicious user with proper ACL permissions, all files within C:\Users\Public\netSkope\ becomes modifiable by the unprivileged user. By using Windows pseudo-symlink, these files can be pointed to other places in the system and thus malicious users will be able to elevate privileges.

Credit: psirt@netskope.com

Affected SoftwareAffected VersionHow to fix
Netskope<100
Microsoft Windows Operating System

Remedy

Netskope has patched the vulnerability and released a binary with a fix. Customers are recommended to upgrade their Netskope clients to v100 or later. Netskope download Instructions – Download Netskope Client and Scripts – Netskope Support https://support.netskope.com/s/article/Download-Netskope-Client-and-Scripts

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is CVE-2022-4149?

    CVE-2022-4149 is a vulnerability in the Netskope client service on Windows, allowing a standard user to write log files to a writable directory.

  • How does CVE-2022-4149 affect Windows?

    CVE-2022-4149 affects the Netskope client service running on Windows, specifically versions prior to R96.

  • What is the severity of CVE-2022-4149?

    CVE-2022-4149 has a severity level of high with a severity value of 7.

  • How can CVE-2022-4149 be exploited?

    CVE-2022-4149 can be exploited by a standard user who is able to create and write log files in the C:\Users\Public\netSkope directory.

  • Is there a fix for CVE-2022-4149?

    Yes, updating the Netskope client service to version R96 or higher will fix CVE-2022-4149.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203