CVE-2022-4991 Overview
CVE-2022-4991 affects Tychon, which bundles an OpenSSL component compiled with an OPENSSLDIR variable pointing to a subdirectory that an unprivileged Windows user can control. Tychon runs a privileged service that loads this OpenSSL component. An attacker who writes a crafted openssl.cnf file to the expected path can achieve arbitrary code execution with SYSTEM privileges. The flaw is a local privilege escalation primitive rooted in insecure default configuration of the OpenSSL build. Reference details are published in the CERT Vulnerability Advisory.
Critical Impact
A low-privileged local user can escalate to SYSTEM by planting a malicious openssl.cnf file in an OPENSSLDIR path writable by standard users.
Affected Products
- Tychon (Windows builds incorporating the vulnerable OpenSSL component)
- The bundled OpenSSL library configured with a user-writable OPENSSLDIR
- Privileged Tychon Windows service consuming the OpenSSL component
Discovery Timeline
- 2026-06-01 - CVE-2022-4991 published to the National Vulnerability Database (NVD)
- 2026-06-02 - Last updated in the NVD database
Technical Details for CVE-2022-4991
Vulnerability Analysis
The vulnerability stems from how the OpenSSL component shipped with Tychon resolves its configuration directory at runtime. OpenSSL uses the compile-time OPENSSLDIR macro to locate openssl.cnf and other configuration assets. When OPENSSLDIR points to a path within a subdirectory that an unprivileged user can create or modify on Windows, the privileged process will load attacker-controlled configuration. OpenSSL configuration files support directives such as engine and provider loading, which can cause arbitrary DLLs to be mapped into the calling process. Because Tychon executes its OpenSSL-linked service under SYSTEM, this loading occurs in a privileged security context.
Root Cause
The root cause is an insecure default configuration in the OpenSSL build packaged with Tychon. OPENSSLDIR was set to a filesystem location whose parent path is writable by standard Windows users, violating the trust boundary required for a privileged service. This is a classic file-system trust mismatch [CWE-427-class] between a privileged process and an unprivileged configuration source.
Attack Vector
A local attacker creates the missing OPENSSLDIR directory tree and places a crafted openssl.cnf inside it. The configuration directs OpenSSL to load an attacker-supplied engine or provider DLL. When the Tychon privileged service initializes OpenSSL, it parses the planted configuration and loads the malicious module under SYSTEM. No network access or user interaction is required against the target host. Refer to the CERT Vulnerability Advisory for the affected paths.
Detection Methods for CVE-2022-4991
Indicators of Compromise
- Creation of openssl.cnf or new directories under the OPENSSLDIR path documented in the CERT advisory by non-administrative users.
- Unexpected DLLs loaded by the Tychon privileged service process, especially from user-writable directories.
- New child processes spawned by the Tychon service running with SYSTEM integrity that do not match the vendor binary signing baseline.
Detection Strategies
- Monitor file creation events for openssl.cnf outside vendor-managed installation directories on Windows endpoints running Tychon.
- Alert on image loads by privileged services from paths writable by the Users or Authenticated Users groups.
- Hunt for OpenSSL configuration directives such as engines or providers referencing non-standard module paths.
Monitoring Recommendations
- Enable Sysmon Event ID 11 (FileCreate) and Event ID 7 (ImageLoad) for the Tychon service process.
- Track Windows Security Event ID 4663 on the affected OPENSSLDIR path with a system access control list (SACL) applied.
- Baseline DLLs loaded by the Tychon service and alert on deviations using endpoint detection and response (EDR) telemetry.
How to Mitigate CVE-2022-4991
Immediate Actions Required
- Apply the Tychon update that ships an OpenSSL build with OPENSSLDIR set to a directory writable only by administrators.
- Audit the OPENSSLDIR path on all Tychon-installed Windows hosts and remove any unauthorized files or directories.
- Restrict write permissions on the parent directories referenced by OPENSSLDIR to administrative principals only.
Patch Information
Consult the CERT Vulnerability Advisory for the vendor-supplied fixed version and remediation guidance. The corrective change moves OpenSSL configuration loading to a path that unprivileged users cannot influence.
Workarounds
- Pre-create the OPENSSLDIR directory tree and set NTFS access control lists (ACLs) to deny write access to non-administrators.
- Block standard users from creating top-level directories on the system drive using Group Policy and file system permissions where feasible.
- Run application allowlisting to prevent the Tychon service from loading unsigned or unexpected DLLs.
# Configuration example: lock down the OPENSSLDIR path on Windows
# Replace <OPENSSLDIR_PATH> with the path documented in the CERT advisory
icacls "<OPENSSLDIR_PATH>" /inheritance:r
icacls "<OPENSSLDIR_PATH>" /grant:r "Administrators:(OI)(CI)F" "SYSTEM:(OI)(CI)F"
icacls "<OPENSSLDIR_PATH>" /deny "Users:(OI)(CI)(W,AD)"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
