Kyrecon

**Name of the Vulnerable Software and Affected Versions** Sophos SafeGuard Enterprise versions prior to 8.00.5 Sophos SafeGuard Easy versions prior to 7.00.3 Sophos SafeGuard LAN Crypt versions prior to 3.95.2 **Description** The issue allows for Local Privilege Escalation via multiple IOCTLs. When certain conditions in the user-controlled input buffer are not met, the driver writes an error code to a user-controlled address. The IOCTLs use transfer type METHOD NEITHER, which means the I/O manager does not validate supplied pointers and buffer sizes. This allows for supplying a pointer for the output buffer to a kernel address space address, enabling modification of the SEP TOKEN PRIVILEGES structure to grant SE DEBUG NAME privilege. This privilege allows the exploit process to interact with higher privileged processes running as SYSTEM and execute code in their security context. **Recommendations** For Sophos SafeGuard Enterprise versions prior to 8.00.5, update to version 8.00.5 or later. For Sophos SafeGuard Easy versions prior to 7.00.3, update to version 7.00.3 or later. For Sophos SafeGuard LAN Crypt versions prior to 3.95.2, update to version 3.95.2 or later.