FKIE_CVE-2018-6855

Vulnerability from fkie_nvd - Published: 2018-07-09 18:29 - Updated: 2024-11-21 04:11
Severity ?
7.8 (High) - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
Sophos SafeGuard Enterprise before 8.00.5, SafeGuard Easy before 7.00.3, and SafeGuard LAN Crypt before 3.95.2 are vulnerable to Local Privilege Escalation via IOCTL 0x80202014. By crafting an input buffer we can control the execution path to the point where the constant 0xFFFFFFF will be written to a user-controlled address. We can take advantage of this condition to modify the SEP_TOKEN_PRIVILEGES structure of the Token object belonging to the exploit process and grant SE_DEBUG_NAME privilege. This allows the exploit process to interact with higher privileged processes running as SYSTEM and execute code in their security context.
References
cve@mitre.orghttp://seclists.org/fulldisclosure/2018/Jul/20Issue Tracking, Mailing List, Third Party Advisory
cve@mitre.orghttps://community.sophos.com/kb/en-us/131934Patch, Vendor Advisory
cve@mitre.orghttps://labs.nettitude.com/blog/cve-2018-6851-to-cve-2018-6857-sophos-privilege-escalation-vulnerabilities/Exploit, Technical Description, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108http://seclists.org/fulldisclosure/2018/Jul/20Issue Tracking, Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://community.sophos.com/kb/en-us/131934Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://labs.nettitude.com/blog/cve-2018-6851-to-cve-2018-6857-sophos-privilege-escalation-vulnerabilities/Exploit, Technical Description, Third Party Advisory
Impacted products
Vendor Product Version
sophos safeguard_easy_device_encryption_client 6.00
sophos safeguard_easy_device_encryption_client 6.10
sophos safeguard_easy_device_encryption_client 7.00
sophos safeguard_enterprise_client 5.60.3
sophos safeguard_enterprise_client 6.00
sophos safeguard_enterprise_client 6.00.1
sophos safeguard_enterprise_client 6.10
sophos safeguard_enterprise_client 7.00
sophos safeguard_enterprise_client 8.00
sophos safeguard_lan_crypt_client 3.90.1
sophos safeguard_lan_crypt_client 3.90.2
sophos safeguard_lan_crypt_client 3.95.1
sophos safeguard_lan_crypt_client 3.95.1
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:sophos:safeguard_easy_device_encryption_client:6.00:*:*:*:*:*:*:*",
              "matchCriteriaId": "2F57138C-7C06-496F-994E-0966CE8212C0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sophos:safeguard_easy_device_encryption_client:6.10:*:*:*:*:*:*:*",
              "matchCriteriaId": "C35D6EE3-06A4-4720-A41F-A853CBF5AD31",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sophos:safeguard_easy_device_encryption_client:7.00:*:*:*:*:*:*:*",
              "matchCriteriaId": "3EC3A868-4328-4C39-9846-8E1182E747CB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sophos:safeguard_enterprise_client:5.60.3:vs-nfd:*:*:*:*:*:*",
              "matchCriteriaId": "1831A4DA-2F50-411A-924F-FF0E15A593A0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sophos:safeguard_enterprise_client:6.00:*:*:*:*:*:*:*",
              "matchCriteriaId": "7D8F90D7-7D25-418F-AE85-AD1D7E60DD18",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sophos:safeguard_enterprise_client:6.00.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "864E1982-8947-4EF7-912D-CDFD74E8D134",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sophos:safeguard_enterprise_client:6.10:*:*:*:*:*:*:*",
              "matchCriteriaId": "60BBA33F-853D-407B-975B-A9182B259DB9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sophos:safeguard_enterprise_client:7.00:*:*:*:*:*:*:*",
              "matchCriteriaId": "88E54DC4-12A5-452F-8DCE-890645585097",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sophos:safeguard_enterprise_client:8.00:*:*:*:*:*:*:*",
              "matchCriteriaId": "3075C40D-1FF9-46D0-80F3-2EF8E8423974",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sophos:safeguard_lan_crypt_client:3.90.1:ts:*:*:*:*:*:*",
              "matchCriteriaId": "4BCE0FAF-54C0-420D-BA05-F90848408515",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sophos:safeguard_lan_crypt_client:3.90.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "4CD621BA-6AB7-427D-B6D0-D2D75D1ADC18",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sophos:safeguard_lan_crypt_client:3.95.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "C82A7CD5-0703-47E1-BA4F-3797986CE139",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sophos:safeguard_lan_crypt_client:3.95.1:ts:*:*:*:*:*:*",
              "matchCriteriaId": "2D0F50CA-6C19-4ECF-97B7-6636A2756961",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Sophos SafeGuard Enterprise before 8.00.5, SafeGuard Easy before 7.00.3, and SafeGuard LAN Crypt before 3.95.2 are vulnerable to Local Privilege Escalation via IOCTL 0x80202014. By crafting an input buffer we can control the execution path to the point where the constant 0xFFFFFFF will be written to a user-controlled address. We can take advantage of this condition to modify the SEP_TOKEN_PRIVILEGES structure of the Token object belonging to the exploit process and grant SE_DEBUG_NAME privilege. This allows the exploit process to interact with higher privileged processes running as SYSTEM and execute code in their security context."
    },
    {
      "lang": "es",
      "value": "Sophos SafeGuard Enterprise en versiones anteriores a la 8.00.5, SafeGuard Easy en versiones anteriores a la 7.00.3, y SafeGuard LAN Crypt en versiones anteriores a la 3.95.2 son vulnerables a una escalada de privilegios local mediante IOCTL 0x80202014. Manipulando un b\u00fafer de entrada, es posible controlar la ruta de ejecuci\u00f3n al punto en el que la constante 0xFFFFFFF se escribir\u00e1 en una direcci\u00f3n controlada por el usuario. Se puede aprovechar esta situaci\u00f3n para modificar la estructura SEP_TOKEN_PRIVILEGES del objeto Token que pertenece al proceso del exploit y otorgar privilegios SE_DEBUG_NAME. Esto permite que el proceso del exploit interact\u00fae con procesos con privilegios m\u00e1s elevados que se ejecutan como SYSTEM, ejecutando c\u00f3digo en su contexto de seguridad."
    }
  ],
  "id": "CVE-2018-6855",
  "lastModified": "2024-11-21T04:11:18.037",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": true,
        "baseSeverity": "HIGH",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "LOCAL",
          "authentication": "NONE",
          "availabilityImpact": "COMPLETE",
          "baseScore": 7.2,
          "confidentialityImpact": "COMPLETE",
          "integrityImpact": "COMPLETE",
          "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
          "version": "2.0"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 10.0,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 7.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.0"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2018-07-09T18:29:00.903",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Issue Tracking",
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://seclists.org/fulldisclosure/2018/Jul/20"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://community.sophos.com/kb/en-us/131934"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Exploit",
        "Technical Description",
        "Third Party Advisory"
      ],
      "url": "https://labs.nettitude.com/blog/cve-2018-6851-to-cve-2018-6857-sophos-privilege-escalation-vulnerabilities/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://seclists.org/fulldisclosure/2018/Jul/20"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://community.sophos.com/kb/en-us/131934"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Technical Description",
        "Third Party Advisory"
      ],
      "url": "https://labs.nettitude.com/blog/cve-2018-6851-to-cve-2018-6857-sophos-privilege-escalation-vulnerabilities/"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-119"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.