Lucene search

K
cve[email protected]CVE-2018-6854
HistoryJul 09, 2018 - 6:29 p.m.

CVE-2018-6854

2018-07-0918:29:00
CWE-119
web.nvd.nist.gov
21
cve-2018-6854
sophos safeguard
local privilege escalation
ioctls
security vulnerability
nvd

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

7.2 High

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

0.0004 Low

EPSS

Percentile

5.2%

Sophos SafeGuard Enterprise before 8.00.5, SafeGuard Easy before 7.00.3, and SafeGuard LAN Crypt before 3.95.2 are vulnerable to Local Privilege Escalation via multiple IOCTLs, e.g., 0x8810200B, 0x8810200F, 0x8810201B, 0x8810201F, 0x8810202B, 0x8810202F, 0x8810203F, 0x8810204B, 0x88102003, 0x88102007, 0x88102013, 0x88102017, 0x88102027, 0x88102033, 0x88102037, 0x88102043, and 0x88102047. When some conditions in the user-controlled input buffer are not met, the driver writes an error code (0x2000001A) to a user-controlled address. Also, note that all the aforementioned IOCTLs use transfer type METHOD_NEITHER, which means that the I/O manager does not validate any of the supplied pointers and buffer sizes. So, even though the driver checks for input/output buffer sizes, it doesn’t validate if the pointers to those buffers are actually valid. So, we can supply a pointer for the output buffer to a kernel address space address, and the error code will be written there. We can take advantage of this condition to modify the SEP_TOKEN_PRIVILEGES structure of the Token object belonging to the exploit process and grant SE_DEBUG_NAME privilege. This allows the exploit process to interact with higher privileged processes running as SYSTEM and execute code in their security context.

Affected configurations

NVD
Node
sophossafeguard_easy_device_encryption_clientMatch6.00
OR
sophossafeguard_easy_device_encryption_clientMatch6.10
OR
sophossafeguard_easy_device_encryption_clientMatch7.00
OR
sophossafeguard_enterprise_clientMatch5.60.3vs-nfd
OR
sophossafeguard_enterprise_clientMatch6.00
OR
sophossafeguard_enterprise_clientMatch6.00.1
OR
sophossafeguard_enterprise_clientMatch6.10
OR
sophossafeguard_enterprise_clientMatch7.00
OR
sophossafeguard_enterprise_clientMatch8.00
OR
sophossafeguard_lan_crypt_clientMatch3.90.1ts
OR
sophossafeguard_lan_crypt_clientMatch3.90.2
OR
sophossafeguard_lan_crypt_clientMatch3.95.1
OR
sophossafeguard_lan_crypt_clientMatch3.95.1ts

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

7.2 High

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

0.0004 Low

EPSS

Percentile

5.2%

Related for CVE-2018-6854