CVE-2022-26526

Vulnerability

The Anaconda3 Distribution (through 2021.11.0.0) and Miniconda3 (through 4.11.0.0) installers on Windows create a world-writable directory under %PROGRAMDATA% and place that directory into the system PATH environment variable. This behavior occurs only during a non-default installation where the user selects "Install for all users" and opts to change the system PATH [1][2].

Exploitation

An attacker with local access can place a malicious executable (Trojan horse) into the world-writable directory. Because the directory is in the system PATH, any process running in the context of another user (including higher-privileged users) that executes a command without a full path may inadvertently run the attacker's payload. No authentication beyond local user access is required; the attacker only needs write permission to the directory, which is world-writable [2].

Impact

Successful exploitation allows an attacker to escalate privileges to the level of the user running the affected process. If a privileged user (e.g., administrator) runs a command that resolves to the Trojan horse, the attacker gains code execution at that privilege level. The impact is local privilege escalation, potentially leading to full system compromise [2].

Mitigation

Anaconda has not released a patched version as of the publication date (2022-03-17). Users should avoid installing Anaconda3 or Miniconda3 with the "Install for all users" option and the system PATH modification. Alternatively, manually remove the world-writable directory from the system PATH and restrict permissions on the directory. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date [2][3].