Executive Summary

CVE-2022-50931 is a vulnerability in TeamSpeak version 3.5.6 caused by insecure file permissions. It allows local attackers to replace critical executable files, such as ts3client_win32.exe, with malicious binaries. Because these executables have overly permissive access rights, an attacker with local access can substitute them, potentially leading to privilege escalation to SYSTEM or Administrator-level access. [2, 4]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have a severe impact by allowing a local attacker to escalate their privileges to SYSTEM or Administrator level on the affected machine. By replacing legitimate TeamSpeak executables with malicious ones, the attacker can gain full control over the system, compromising confidentiality, integrity, and availability of the system and data. [2, 4]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking the file permissions of critical TeamSpeak executable files such as ts3client_win32.exe, update.exe, package_inst.exe, QtWebEngineProcess.exe, and createfileassoc.exe. On Windows systems, you can use the icacls command to inspect the permissions of these files. For example, running `icacls ts3client_win32.exe` will show if the file has overly permissive access rights that allow modification by unauthorized users, indicating the presence of the vulnerability. [4]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting the file permissions of the affected TeamSpeak executables to prevent unauthorized modification. This involves removing overly permissive access rights and ensuring that only SYSTEM and trusted administrator accounts have write permissions. Additionally, updating to a patched version of TeamSpeak, if available, or applying vendor-recommended fixes is advised to fully resolve the issue. [4, 2]

Useful 0 Not Useful 0