CVE-2020-11081: 
OSQuery vulnerability analysis and mitigation

CVE-2020-11081 is a privilege escalation vulnerability affecting osquery versions before 4.4.0. The vulnerability was discovered in May 2020 and patched in June 2020. The issue occurs when osquery attempts to load zlib1.dll on Windows systems, where if a system is configured with a PATH containing a user-writable directory, a local user could exploit this to achieve privilege escalation (GitHub Advisory).

The vulnerability was introduced through OpenSSL's dependency on zlib for SSL/TLS compression. On Windows systems, OpenSSL would attempt to load zlib1.dll as a dynamic library, which could potentially be loaded from an insecure location. Since osquery runs with elevated privileges, this DLL search order hijacking vulnerability could be exploited for privilege escalation. The issue was particularly concerning because compression in SSL/TLS has been proven to potentially lead to information leaks (GitHub PR).

If successfully exploited, an attacker could achieve local privilege escalation to NT AUTHORITY\SYSTEM level access on affected Windows systems. This occurs when osquery service, running with elevated privileges, loads a malicious zlib1.dll from a user-writable directory in the system's PATH (GitHub Issue).

The vulnerability was patched in osquery version 4.4.0 by disabling OpenSSL compression support entirely. For systems unable to update immediately, the recommended workaround is to ensure system PATH directories are not user-writable, restricting PATH writability to administrators and similarly-privileged accounts (GitHub Advisory).