CVE-2018-6855

Exploit

EPSS 0.02%
Published 09.07.2018 18:29:00
Last modified 21.11.2024 04:11:18
Source cve@mitre.org
Teams watchlist Login
Open Login

Sophos SafeGuard Enterprise before 8.00.5, SafeGuard Easy before 7.00.3, and SafeGuard LAN Crypt before 3.95.2 are vulnerable to Local Privilege Escalation via IOCTL 0x80202014. By crafting an input buffer we can control the execution path to the point where the constant 0xFFFFFFF will be written to a user-controlled address. We can take advantage of this condition to modify the SEP_TOKEN_PRIVILEGES structure of the Token object belonging to the exploit process and grant SE_DEBUG_NAME privilege. This allows the exploit process to interact with higher privileged processes running as SYSTEM and execute code in their security context.

Affected products Warnungen 0 Metrics 3 CWE 1 References 6

Data is provided by the National Vulnerability Database (NVD)

Sophos ≫ Safeguard Easy Device Encryption Client Version6.00

Sophos ≫ Safeguard Easy Device Encryption Client Version6.10

Sophos ≫ Safeguard Easy Device Encryption Client Version7.00

Sophos ≫ Safeguard Enterprise Client Version5.60.3 Updatevs-nfd

Sophos ≫ Safeguard Enterprise Client Version6.00

Sophos ≫ Safeguard Enterprise Client Version6.00.1

Sophos ≫ Safeguard Enterprise Client Version6.10

Sophos ≫ Safeguard Enterprise Client Version7.00

Sophos ≫ Safeguard Enterprise Client Version8.00

Sophos ≫ Safeguard Lan Crypt Client Version3.90.1 Updatets

Sophos ≫ Safeguard Lan Crypt Client Version3.90.2

Sophos ≫ Safeguard Lan Crypt Client Version3.95.1

Sophos ≫ Safeguard Lan Crypt Client Version3.95.1 Updatets

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.02%	0.024

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.8	1.8	5.9	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	7.2	3.9	10	AV:L/AC:L/Au:N/C:C/I:C/A:C

CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.

http://seclists.org/fulldisclosure/2018/Jul/20

Third Party Advisory

Mailing List

Issue Tracking

https://community.sophos.com/kb/en-us/131934

Patch

Vendor Advisory

https://labs.nettitude.com/blog/cve-2018-6851-to-cve-2018-6857-sophos-privilege-escalation-vulnerabilities/

Third Party Advisory

Exploit

Technical Description

https://nvd.nist.gov/vuln/detail/CVE-2018-6855

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2018-6855

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2018-6855

EUVD