CVE-2022-4991
OpenSSL Configuration Path Traversal in Tychon
Publication date: 2026-06-01
Last updated on: 2026-06-01
Assigner: CERT/CC
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tychon | tychon | endpoint |
| openssl | openssl | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Tychon, which includes an OpenSSL component that uses an OPENSSLDIR variable pointing to a subdirectory that an unprivileged Windows user can control.
Because Tychon runs a privileged service using this OpenSSL component, an attacker who can place a specially crafted openssl.cnf file in the specified directory can exploit this to execute arbitrary code with SYSTEM privileges.
How can this vulnerability impact me? :
If exploited, this vulnerability allows an attacker with low privileges to escalate their privileges to SYSTEM level on a Windows system running the vulnerable Tychon version.
This means the attacker can execute arbitrary code with the highest system privileges, potentially leading to full system compromise.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the system is running a vulnerable version of Tychon that includes the affected OpenSSL component with a configurable OPENSSLDIR path. Specifically, you should verify if the Tychon Endpoint version is older than 1.7.857.82.
Additionally, you can inspect the filesystem for the presence of a specially crafted openssl.cnf file placed by an unprivileged user in the directory specified by the OPENSSLDIR variable.
Suggested commands to detect this might include:
- Check the installed Tychon Endpoint version to confirm if it is older than 1.7.857.82.
- Search for openssl.cnf files in directories that could be controlled by unprivileged users, for example using PowerShell: Get-ChildItem -Path <OPENSSLDIR_path> -Filter openssl.cnf -Recurse
- Review permissions on the OPENSSLDIR directory to see if unprivileged users have write access.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Tychon Endpoint to version 1.7.857.82 or later, which includes an updated OpenSSL library that resolves this vulnerability.
In the meantime, restrict write permissions on the directory specified by the OPENSSLDIR variable to prevent unprivileged users from placing malicious openssl.cnf files.
Monitor the system for any suspicious files or activity related to openssl.cnf in the OPENSSLDIR path.