support_uri validation missing in WARP client for Windows

Vulnerability

The CVE-2022-4428 vulnerability resides in the Cloudflare WARP client for Windows, where the support_uri parameter in the mdm.xml local settings file is not properly validated. This allows an attacker with local file system access to craft a malicious XML configuration file pointing to an arbitrary executable. The issue affects versions prior to 2022.442.0 (the fix was released in version >=2022.476.0) [1].

Exploitation

An attacker needs write access to the local file system to modify or replace the mdm.xml file. Alternatively, for Zero Trust enrolled clients, the attacker could set a local path to the executable via the Cloudflare Zero Trust Dashboard. The exploit triggers when a user clicks the "Send feedback" option in the WARP client, which then launches the attacker-specified executable [1].

Impact

Successful exploitation results in privilege escalation and the ability to launch an arbitrary executable on the local machine. This could lead to complete compromise of the affected system, depending on the malicious executable launched [1].

Mitigation

The vendor released a fix in Cloudflare WARP for Windows version >=2022.476.0. Users should upgrade to the latest version immediately. No workarounds are mentioned in the available reference [1]. This CVE is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog as of publication.