9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.002 Low
EPSS
Percentile
58.8%
Recently, the Qt Projectβs security team was made aware of an issue regarding Qtβs usage of LoadLibrary in a few locations and determined it to be a security issue on Windows only.
Specifically, the problem is connected to when LoadLibrary is used to load a system library, such as opengl.dll as these are expected to be located inside the system Windows directory. However, LoadLibrary will search in the current working directory first to see if a dll with the same name is available there first and as a result it can end up trying to load that one instead of the correct one. This can mean that it can invoke the Preload routine of the dll before trying to load the symbols needed by the caller.
This can be worked around in any application, by calling:
SetSearchPathMode(BASE_SEARCH_PATH_ENABLE_SAFE_SEARCHMODE | BASE_SEARCH_PATH_PERMANENT);
before
creating the Q[Core|Gui]Application object and then any calls to LoadLibrary will only check in the current working directory after it has searched the other paths which should suffice to prevent the problem.
Patches are available for the currently supported versions of Qt can be found here:
dev: <https://codereview.qt-project.org/c/qt/qtbase/+/396440>
Qt 6.2: <https://codereview.qt-project.org/c/qt/qtbase/+/396689> or <https://download.qt.io/official_releases/qt/6.2/CVE-2022-25643-6.2.diff>
Qt 5.15: https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/396690 or <https://download.qt.io/official_releases/qt/5.15/CVE-2022-25643-5.15.diff>
The official CVE report for this can be found here: <https://vulners.com/cve/CVE-2022-25634>
Update: It has been reported that the workaround is not always working, so it is recommended to see: https://support.microsoft.com/en-us/topic/secure-loading-of-libraries-to-prevent-dll-preloading-attacks-d41303ec-0748-9211-f317-2edc819682e1 for further options in that respect.
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.002 Low
EPSS
Percentile
58.8%