Kyriakos Economou

**Nome do software vulnerável e versões afetadas** Driver do chipset do Processador de Segurança da Plataforma AMD (PSP) (versões afetadas não especificadas) **Descrição** Existe uma vulnerabilidade de divulgação de informações no driver do chipset AMD Platform Security Processor (PSP). A lista de controle de acesso discricionário (DACL) pode permitir que usuários com privilégios baixos abram um identificador e enviem solicitações ao driver, resultando em um possível vazamento de dados de páginas físicas não inicializadas. **Recomendações** No momento, não há informações sobre uma versão mais recente que contenha uma correção para essa vulnerabilidade.

**Nome do software vulnerável e versões afetadas: Versões do Cisco Advanced Malware Protection for Endpoints Windows Connector (versões afetadas não especificadas) Versões do ClamAV para Windows (versões afetadas não especificadas) Versões do Immunet (versões afetadas não especificadas) Descrição: O problema está relacionado a erros no mecanismo de carregamento da biblioteca de ligação dinâmica (DLL), especificamente devido à validação insuficiente dos caminhos de pesquisa de diretórios em tempo de execução. Isso poderia permitir que um invasor local autenticado realizasse um ataque de sequestro de DLL em um sistema Windows afetado. O invasor precisaria de credenciais válidas no sistema para explorar essa vulnerabilidade. Ao colocar um arquivo DLL malicioso em um sistema afetado, um invasor poderia executar código arbitrário com privilégios de SISTEMA. Recomendações: Para o Cisco Advanced Malware Protection for Endpoints Windows Connector, restrinja o acesso ao mecanismo de carregamento de DLL até que uma correção esteja disponível. Para o ClamAV para Windows, considere desativar o recurso de carregamento de bibliotecas de ligação dinâmica como uma solução temporária até que uma correção seja fornecida. Para o Immunet, evite usar o mecanismo de carregamento de DLL vulnerável no sistema Windows afetado até que a vulnerabilidade seja resolvida. No momento, não há informações sobre uma versão mais recente que contenha uma correção para esta vulnerabilidade.

**Nome do software vulnerável e versões afetadas** Versões do madCodeHook anteriores a 16/07/2020 **Descrição** Existe uma vulnerabilidade TOCTOU que permite que invasores locais elevem seus privilégios ao nível SYSTEM. Isso ocorre porque pode haver redirecionamento de caminho por meio de vetores que envolvem junções de diretórios. **Recomendações** Para versões anteriores a 16/07/2020, atualize para uma versão lançada após 16/07/2020 para resolver o problema. Como solução alternativa temporária, considere restringir o acesso a junções de diretórios para minimizar o risco de exploração.

**Nome do software vulnerável e versões afetadas** Cisco Advanced Malware Protection (AMP) for Endpoints para Windows (versões afetadas não especificadas) Cisco Immunet para Windows (versões afetadas não especificadas) **Descrição** Uma vulnerabilidade no mecanismo de carregamento de DLLs específicas poderia permitir que um invasor local autenticado realizasse um ataque de sequestro de DLL. O invasor precisaria de credenciais válidas no sistema Windows para explorar essa vulnerabilidade, que se deve ao tratamento incorreto dos caminhos de pesquisa de diretórios em tempo de execução. Um invasor poderia explorar essa vulnerabilidade colocando um arquivo DLL malicioso no sistema alvo, permitindo a execução de código arbitrário no sistema alvo com privilégios de SISTEMA. **Recomendações** No momento, não há informações sobre uma versão mais recente que contenha uma correção para essa vulnerabilidade.

**Name of the Vulnerable Software and Affected Versions** BitDefender GravityZone (affected versions not specified) **Description** The issue concerns the installer for BitDefender GravityZone, which relies on an encoded string in a filename to determine the URL for installation metadata. This allows remote attackers to execute arbitrary code by changing the filename while leaving the file's digital signature unchanged. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Sophos SafeGuard Enterprise versions prior to 8.00.5 Sophos SafeGuard Easy versions prior to 7.00.3 Sophos SafeGuard LAN Crypt versions prior to 3.95.2 **Description** The issue allows for Local Privilege Escalation via multiple IOCTLs. When certain conditions in the user-controlled input buffer are not met, the driver writes an error code to a user-controlled address. The IOCTLs use transfer type METHOD NEITHER, which means the I/O manager does not validate supplied pointers and buffer sizes. This allows for supplying a pointer for the output buffer to a kernel address space address, enabling modification of the SEP TOKEN PRIVILEGES structure to grant SE DEBUG NAME privilege. This privilege allows the exploit process to interact with higher privileged processes running as SYSTEM and execute code in their security context. **Recommendations** For Sophos SafeGuard Enterprise versions prior to 8.00.5, update to version 8.00.5 or later. For Sophos SafeGuard Easy versions prior to 7.00.3, update to version 7.00.3 or later. For Sophos SafeGuard LAN Crypt versions prior to 3.95.2, update to version 3.95.2 or later.

**Name of the Vulnerable Software and Affected Versions** Sophos SafeGuard Enterprise versions prior to 8.00.5 Sophos SafeGuard Easy versions prior to 7.00.3 Sophos SafeGuard LAN Crypt versions prior to 3.95.2 **Description** The issue allows for Local Privilege Escalation via IOCTL 0x80202014. By crafting an input buffer, an attacker can control the execution path, allowing them to write a constant value to a user-controlled address. This can be used to modify the `SEP TOKEN PRIVILEGES` structure of the Token object, granting the `SE DEBUG NAME` privilege. This privilege enables the exploit process to interact with higher-privileged processes running as SYSTEM and execute code in their security context. **Recommendations** For Sophos SafeGuard Enterprise versions prior to 8.00.5, update to version 8.00.5 or later. For Sophos SafeGuard Easy versions prior to 7.00.3, update to version 7.00.3 or later. For Sophos SafeGuard LAN Crypt versions prior to 3.95.2, update to version 3.95.2 or later.

**Name of the Vulnerable Software and Affected Versions** Sophos SafeGuard Enterprise versions prior to 8.00.5 Sophos SafeGuard Easy versions prior to 7.00.3 Sophos SafeGuard LAN Crypt versions prior to 3.95.2 **Description** The issue allows for Local Privilege Escalation via IOCTL 0x802022E0. By crafting an input buffer, an attacker can control the execution path, enabling the modification of the SEP TOKEN PRIVILEGES structure of the Token object. This modification grants the SE DEBUG NAME privilege, allowing the exploit process to interact with higher privileged processes running as SYSTEM and execute code in their security context. **Recommendations** For Sophos SafeGuard Enterprise versions prior to 8.00.5, update to version 8.00.5 or later. For Sophos SafeGuard Easy versions prior to 7.00.3, update to version 7.00.3 or later. For Sophos SafeGuard LAN Crypt versions prior to 3.95.2, update to version 3.95.2 or later.

**Name of the Vulnerable Software and Affected Versions** Sophos SafeGuard Enterprise versions prior to 8.00.5 Sophos SafeGuard Easy versions prior to 7.00.3 Sophos SafeGuard LAN Crypt versions prior to 3.95.2 **Description** The issue allows for Local Privilege Escalation via IOCTL 0x8020601C. By crafting an input buffer, an attacker can control the execution path to the point where a global variable will be written to a user-controlled address. This condition can be exploited to zero-out the pointer to the security descriptor in the object header of a privileged process or modify the security descriptor itself, allowing code to run in the context of a process running as SYSTEM. **Recommendations** For Sophos SafeGuard Enterprise versions prior to 8.00.5, update to version 8.00.5 or later. For Sophos SafeGuard Easy versions prior to 7.00.3, update to version 7.00.3 or later. For Sophos SafeGuard LAN Crypt versions prior to 3.95.2, update to version 3.95.2 or later.

**Name of the Vulnerable Software and Affected Versions** Sophos SafeGuard Enterprise versions prior to 8.00.5 Sophos SafeGuard Easy versions prior to 7.00.3 Sophos SafeGuard LAN Crypt versions prior to 3.95.2 **Description** The issue allows for Local Privilege Escalation via IOCTL 0x80206040. By crafting an input buffer, an attacker can control the execution path, allowing them to write a constant DWORD 0 to a user-controlled address. This can be exploited to zero-out the pointer to the security descriptor in the object header of a privileged process or modify the security descriptor itself, enabling the execution of code in the context of a process running as SYSTEM. **Recommendations** For Sophos SafeGuard Enterprise versions prior to 8.00.5, update to version 8.00.5 or later. For Sophos SafeGuard Easy versions prior to 7.00.3, update to version 7.00.3 or later. For Sophos SafeGuard LAN Crypt versions prior to 3.95.2, update to version 3.95.2 or later.

**Name of the Vulnerable Software and Affected Versions** Sophos SafeGuard Enterprise versions prior to 8.00.5 Sophos SafeGuard Easy versions prior to 7.00.3 Sophos SafeGuard LAN Crypt versions prior to 3.95.2 **Description** The issue allows for Local Privilege Escalation via IOCTL 0x80202298. By crafting an input buffer, an attacker can control the execution path to the point where the nt!memset function is called to zero out contents of a user-controlled address. This condition can be exploited to zero-out the pointer to the security descriptor in the object header of a privileged process or modify the security descriptor itself, allowing code to run in the context of a process running as SYSTEM. **Recommendations** For Sophos SafeGuard Enterprise versions prior to 8.00.5, update to version 8.00.5 or later. For Sophos SafeGuard Easy versions prior to 7.00.3, update to version 7.00.3 or later. For Sophos SafeGuard LAN Crypt versions prior to 3.95.2, update to version 3.95.2 or later.

**Name of the Vulnerable Software and Affected Versions** SafeNet Authentication Service for NPS Agent (affected versions not specified) **Description** The issue concerns a weak Access Control List (ACL) used by the SafeNet Authentication Service for NPS Agent for unspecified installation directories and executable modules. This weakness allows local users to gain privileges by modifying an executable module. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SafeNet Authentication Service for Citrix Web Interface Agent (affected versions not specified) **Description** The issue is related to a weak Access Control List (ACL) used by the SafeNet Authentication Service for Citrix Web Interface Agent for unspecified installation directories and executable modules. This weakness allows local users to gain privileges by modifying an executable module. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SafeNet Authentication Service for AD FS Agent (affected versions not specified) **Description** The issue concerns a weak Access Control List (ACL) used by the SafeNet Authentication Service for AD FS Agent for certain installation directories and executable modules. This weakness allows local users to elevate their privileges by modifying an executable module. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SafeNet Authentication Service Windows Logon Agent (affected versions not specified) **Description** The issue is related to a weak Access Control List (ACL) used by the SafeNet Authentication Service Windows Logon Agent for certain installation directories and executable modules. This weakness allows local users to elevate their privileges by modifying an executable module. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SafeNet Authentication Service Windows Logon Agent (affected versions not specified) **Description** The issue is related to a weak Access Control List (ACL) used by the SafeNet Authentication Service Windows Logon Agent for certain installation directories and executable modules. This weakness allows local users to elevate their privileges by modifying an executable module. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SafeNet Authentication Service End User Software Tools for Windows (affected versions not specified) **Description** The issue concerns a weak Access Control List (ACL) used by the software for certain installation directories and executable modules. This weakness allows local users to elevate their privileges by modifying an executable module. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SafeNet Authentication Service TokenValidator Proxy Agent (affected versions not specified) **Description** The issue concerns a weak Access Control List (ACL) used by the SafeNet Authentication Service TokenValidator Proxy Agent for certain installation directories and executable modules. This weakness allows local users to elevate their privileges by modifying an executable module. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SafeNet Authentication Service for Outlook Web App Agent (affected versions not specified) **Description** The issue concerns a weak Access Control List (ACL) used by the SafeNet Authentication Service for Outlook Web App Agent for certain installation directories and executable modules. This weakness allows local users to elevate their privileges by modifying an executable module. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Carbon Black version 5.1.1.60603 **Description** The issue allows local users with admin privileges to cause a denial of service, resulting in an out-of-bounds read and system crash. This is achieved via a large counter value in an IOCTL call, specifically the 0x62430028 call. **Recommendations** For Carbon Black version 5.1.1.60603, consider restricting access to the cbstream.sys driver to minimize the risk of exploitation. As a temporary workaround, avoid using large counter values in the 0x62430028 IOCTL call until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.