Summary:

ZeroTier versions 1.8.7 and below for Windows set incorrect filesystem permissions on “C:\ProgramData\ZeroTier\One\”.

The Users group had write access to the directory ZeroTier reads on startup, allowing privilege escalation via DLL hijacking.

MacOS, Linux, and other platforms were not affected.

Impact

Local privilege escalation to SYSTEM.

Mitigation

Upgrade Windows systems to version 1.8.8.

Acknowledgements

This issue was brought to our attention by @ycdxsb, via huntr.dev.

This vulnerability is CVE-2022-1316