Vulnerability Details : CVE-2018-6857
Potential exploit
Sophos SafeGuard Enterprise before 8.00.5, SafeGuard Easy before 7.00.3, and SafeGuard LAN Crypt before 3.95.2 are vulnerable to Local Privilege Escalation via IOCTL 0x802022E0. By crafting an input buffer we can control the execution path to the point where the constant 0x12 will be written to a user-controlled address. We can take advantage of this condition to modify the SEP_TOKEN_PRIVILEGES structure of the Token object belonging to the exploit process and grant SE_DEBUG_NAME privilege. This allows the exploit process to interact with higher privileged processes running as SYSTEM and execute code in their security context.
Vulnerability category: OverflowExecute codeGain privilege
Products affected by CVE-2018-6857
- cpe:2.3:a:sophos:safeguard_easy_device_encryption_client:6.00:*:*:*:*:*:*:*
- cpe:2.3:a:sophos:safeguard_easy_device_encryption_client:6.10:*:*:*:*:*:*:*
- cpe:2.3:a:sophos:safeguard_easy_device_encryption_client:7.00:*:*:*:*:*:*:*
- cpe:2.3:a:sophos:safeguard_enterprise_client:6.00:*:*:*:*:*:*:*
- cpe:2.3:a:sophos:safeguard_enterprise_client:6.00.1:*:*:*:*:*:*:*
- cpe:2.3:a:sophos:safeguard_enterprise_client:8.00:*:*:*:*:*:*:*
- cpe:2.3:a:sophos:safeguard_enterprise_client:6.10:*:*:*:*:*:*:*
- cpe:2.3:a:sophos:safeguard_enterprise_client:7.00:*:*:*:*:*:*:*
- cpe:2.3:a:sophos:safeguard_enterprise_client:5.60.3:vs-nfd:*:*:*:*:*:*
- cpe:2.3:a:sophos:safeguard_lan_crypt_client:3.95.1:ts:*:*:*:*:*:*
- cpe:2.3:a:sophos:safeguard_lan_crypt_client:3.95.1:*:*:*:*:*:*:*
- cpe:2.3:a:sophos:safeguard_lan_crypt_client:3.90.2:*:*:*:*:*:*:*
- cpe:2.3:a:sophos:safeguard_lan_crypt_client:3.90.1:ts:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2018-6857
0.04%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 6 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-6857
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.2
|
HIGH | AV:L/AC:L/Au:N/C:C/I:C/A:C |
3.9
|
10.0
|
NIST | |
7.8
|
HIGH | CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
1.8
|
5.9
|
NIST |
CWE ids for CVE-2018-6857
-
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.Assigned by: nvd@nist.gov (Primary)
References for CVE-2018-6857
-
http://seclists.org/fulldisclosure/2018/Jul/20
Full Disclosure: Sophos Safeguard Products - Multiple Privilege Escalation Vulnerabilities.Mailing List;Third Party Advisory
-
https://labs.nettitude.com/blog/cve-2018-6851-to-cve-2018-6857-sophos-privilege-escalation-vulnerabilities/
CVE-2018-6851 to CVE-2018-6857: Sophos Privilege Escalation Vulnerabilities — Nettitude LabsExploit;Technical Description;Third Party Advisory
-
https://community.sophos.com/kb/en-us/131934
Windows Client Patch 1804 for SafeGuard products - Sophos CommunityPatch;Vendor Advisory
Jump to