Vulnerability Details : CVE-2018-6853
Potential exploit
Sophos SafeGuard Enterprise before 8.00.5, SafeGuard Easy before 7.00.3, and SafeGuard LAN Crypt before 3.95.2 are vulnerable to Local Privilege Escalation via IOCTL 0x80206024. By crafting an input buffer we can control the execution path to the point where a global variable will be written to a user controlled address. We can take advantage of this condition to zero-out the pointer to the security descriptor in the object header of a privileged process or modify the security descriptor itself and run code in the context of a process running as SYSTEM.
Vulnerability category: OverflowGain privilege
Products affected by CVE-2018-6853
- cpe:2.3:a:sophos:safeguard_easy_device_encryption_client:6.00:*:*:*:*:*:*:*
- cpe:2.3:a:sophos:safeguard_easy_device_encryption_client:6.10:*:*:*:*:*:*:*
- cpe:2.3:a:sophos:safeguard_easy_device_encryption_client:7.00:*:*:*:*:*:*:*
- cpe:2.3:a:sophos:safeguard_enterprise_client:6.00:*:*:*:*:*:*:*
- cpe:2.3:a:sophos:safeguard_enterprise_client:6.00.1:*:*:*:*:*:*:*
- cpe:2.3:a:sophos:safeguard_enterprise_client:8.00:*:*:*:*:*:*:*
- cpe:2.3:a:sophos:safeguard_enterprise_client:6.10:*:*:*:*:*:*:*
- cpe:2.3:a:sophos:safeguard_enterprise_client:7.00:*:*:*:*:*:*:*
- cpe:2.3:a:sophos:safeguard_enterprise_client:5.60.3:vs-nfd:*:*:*:*:*:*
- cpe:2.3:a:sophos:safeguard_lan_crypt_client:3.95.1:ts:*:*:*:*:*:*
- cpe:2.3:a:sophos:safeguard_lan_crypt_client:3.95.1:*:*:*:*:*:*:*
- cpe:2.3:a:sophos:safeguard_lan_crypt_client:3.90.2:*:*:*:*:*:*:*
- cpe:2.3:a:sophos:safeguard_lan_crypt_client:3.90.1:ts:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2018-6853
0.02%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 3 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-6853
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
7.2
|
HIGH | AV:L/AC:L/Au:N/C:C/I:C/A:C |
3.9
|
10.0
|
NIST | |
|
7.8
|
HIGH | CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
1.8
|
5.9
|
NIST |
CWE ids for CVE-2018-6853
-
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.Assigned by: nvd@nist.gov (Primary)
References for CVE-2018-6853
-
http://seclists.org/fulldisclosure/2018/Jul/20
Full Disclosure: Sophos Safeguard Products - Multiple Privilege Escalation Vulnerabilities.Mailing List;Third Party Advisory
-
https://labs.nettitude.com/blog/cve-2018-6851-to-cve-2018-6857-sophos-privilege-escalation-vulnerabilities/
CVE-2018-6851 to CVE-2018-6857: Sophos Privilege Escalation Vulnerabilities — Nettitude LabsExploit;Technical Description;Third Party Advisory
-
https://community.sophos.com/kb/en-us/131934
Windows Client Patch 1804 for SafeGuard products - Sophos CommunityPatch;Vendor Advisory
Jump to