Vulnerability Name: | CVE-2018-6857 (CCN-145454) | ||||||||||||
Assigned: | 2018-06-25 | ||||||||||||
Published: | 2018-06-25 | ||||||||||||
Updated: | 2019-10-03 | ||||||||||||
Summary: | Sophos SafeGuard Enterprise before 8.00.5, SafeGuard Easy before 7.00.3, and SafeGuard LAN Crypt before 3.95.2 are vulnerable to Local Privilege Escalation via IOCTL 0x802022E0. By crafting an input buffer we can control the execution path to the point where the constant 0x12 will be written to a user-controlled address. We can take advantage of this condition to modify the SEP_TOKEN_PRIVILEGES structure of the Token object belonging to the exploit process and grant SE_DEBUG_NAME privilege. This allows the exploit process to interact with higher privileged processes running as SYSTEM and execute code in their security context. | ||||||||||||
CVSS v3 Severity: | 7.8 High (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) 6.8 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
7.3 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
| ||||||||||||
CVSS v2 Severity: | 7.2 High (CVSS v2 Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C)
| ||||||||||||
Vulnerability Type: | CWE-119 | ||||||||||||
Vulnerability Consequences: | Gain Privileges | ||||||||||||
References: | Source: MITRE Type: CNA CVE-2018-6857 Source: FULLDISC Type: Mailing List, Third Party Advisory 20180706 Sophos Safeguard Products - Multiple Privilege Escalation Vulnerabilities. Source: CCN Type: Sophos Knowledge Base 131934 Windows Client Patch 1804 for SafeGuard products Source: CONFIRM Type: Patch, Vendor Advisory https://community.sophos.com/kb/en-us/131934 Source: XF Type: UNKNOWN sophos-safeguard-cve20186857-priv-esc(145454) Source: CCN Type: Nettitude Labs Web site CVE-2018-6851 to CVE-2018-6857: Sophos Privilege Escalation Vulnerabilities Source: MISC Type: Exploit, Technical Description, Third Party Advisory https://labs.nettitude.com/blog/cve-2018-6851-to-cve-2018-6857-sophos-privilege-escalation-vulnerabilities/ | ||||||||||||
Vulnerable Configuration: | Configuration 1: Denotes that component is vulnerable | ||||||||||||
BACK |