CVE-2022-25372 Overview
CVE-2022-25372 is a local privilege escalation vulnerability affecting Pritunl Client through version 1.2.3019.52 on Windows systems. The vulnerability stems from an insecure Access Control List (ACL) entry for CREATOR OWNER in the platform_windows.go file, which allows a local attacker with low privileges to escalate their access to SYSTEM-level permissions.
Critical Impact
Local attackers can exploit improper ACL permissions in Pritunl VPN Client to gain full SYSTEM privileges on Windows systems, potentially compromising the entire host and any connected VPN infrastructure.
Affected Products
- Pritunl pritunl-client-electron (versions through 1.2.3019.52)
- Microsoft Windows (all versions when running vulnerable Pritunl Client)
Discovery Timeline
- 2022-02-20 - CVE-2022-25372 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-25372
Vulnerability Analysis
This vulnerability falls under CWE-269 (Improper Privilege Management). The core issue lies in how the Pritunl Client for Windows configures ACLs on certain resources during service operation. The vulnerable configuration granted GENERIC_ALL permissions to CREATOR OWNER, which is a special Windows security identifier that represents the user who created or owns an object.
When a low-privileged user interacts with resources protected by this ACL, they can inherit full control permissions due to the CREATOR OWNER entry. This allows them to manipulate service files or components and ultimately execute arbitrary code with SYSTEM privileges, as the Pritunl service runs in an elevated context.
Root Cause
The root cause is an overly permissive ACL configuration in the Windows platform-specific code (service/platform/platform_windows.go). The inclusion of CREATOR OWNER with GENERIC_ALL permissions meant that any user who created objects within the service's controlled paths would gain full control over those objects. This design flaw violates the principle of least privilege, as standard users should never have such broad permissions over system service resources.
Attack Vector
The attack vector is local, requiring the attacker to have an existing low-privilege session on the target Windows system. The exploitation flow involves:
- Identifying resources controlled by the Pritunl service that inherit the vulnerable ACL
- Creating or modifying objects in a way that triggers the CREATOR OWNER permission inheritance
- Leveraging the full control permissions to inject malicious code or manipulate service behavior
- Gaining execution in the context of the SYSTEM account when the service processes the manipulated resources
The following patch shows how the vulnerability was remediated by removing the CREATOR OWNER entry:
pth,
true,
false,
- acl.GrantName(windows.GENERIC_ALL, "CREATOR OWNER"),
acl.GrantName(windows.GENERIC_ALL, "SYSTEM"),
acl.GrantName(windows.GENERIC_ALL, "Administrators"),
)
Source: GitHub Commit Details
Detection Methods for CVE-2022-25372
Indicators of Compromise
- Unexpected file modifications in Pritunl Client installation directories
- Anomalous process spawning from the Pritunl service with non-standard child processes
- Changes to ACL configurations on Pritunl-related files or directories by non-administrative users
Detection Strategies
- Monitor Windows Security Event logs for privilege escalation attempts (Event IDs 4672, 4673)
- Implement file integrity monitoring on Pritunl Client installation paths
- Use endpoint detection solutions to identify suspicious process chains originating from VPN client services
- Audit ACL configurations on service-related directories for overly permissive entries
Monitoring Recommendations
- Enable detailed auditing on the Pritunl Client service directory
- Configure alerts for any SYSTEM-level process execution that deviates from normal Pritunl operational patterns
- Deploy behavioral detection rules for local privilege escalation techniques targeting VPN clients
How to Mitigate CVE-2022-25372
Immediate Actions Required
- Update Pritunl Client to the latest version that includes the security patch
- Audit existing Windows systems running Pritunl Client to identify vulnerable installations
- Review ACL configurations on Pritunl service directories and files
- Consider temporarily disabling the Pritunl Client on sensitive systems until patching is complete
Patch Information
Pritunl has released a patch that removes the insecure CREATOR OWNER ACL entry. The fix is documented in the GitHub Change Log Entry and the specific code changes can be reviewed in the GitHub Commit Details. Organizations should upgrade to versions released after the patch date.
Workarounds
- Manually modify ACLs on Pritunl Client directories to remove CREATOR OWNER entries with GENERIC_ALL permissions
- Restrict local user access to systems running Pritunl Client until patching is feasible
- Implement application whitelisting to prevent unauthorized code execution from the service context
# Verify Pritunl Client version on Windows (PowerShell)
Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | Where-Object {$_.DisplayName -like "*Pritunl*"} | Select-Object DisplayName, DisplayVersion
# Check ACLs on Pritunl installation directory
icacls "C:\Program Files\Pritunl" /T
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
