Kyriakos Economou

**Name of the Vulnerable Software and Affected Versions** AMD Platform Security Processor (PSP) chipset driver (affected versions not specified) **Description** An information disclosure issue exists in the AMD Platform Security Processor (PSP) chipset driver. The discretionary access control list (DACL) may allow low-privileged users to open a handle and send requests to the driver, resulting in a potential data leak from uninitialized physical pages. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Cisco Advanced Malware Protection for Endpoints Windows Connector versions (affected versions not specified) ClamAV for Windows versions (affected versions not specified) Immunet versions (affected versions not specified) Description: The issue is related to errors in the dynamic link library (DLL) loading mechanism, specifically due to insufficient validation of directory search paths at run time. This could allow an authenticated, local attacker to perform a DLL hijacking attack on an affected Windows system. The attacker would need valid credentials on the system to exploit this issue. By placing a malicious DLL file on an affected system, an attacker could execute arbitrary code with SYSTEM privileges. Recommendations: For Cisco Advanced Malware Protection for Endpoints Windows Connector, restrict access to the DLL loading mechanism until a patch is available. For ClamAV for Windows, consider disabling the dynamic link library loading feature as a temporary workaround until a fix is provided. For Immunet, avoid using the vulnerable DLL loading mechanism in the affected Windows system until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** madCodeHook versions prior to 2020-07-16 **Description** A TOCTOU vulnerability exists that allows local attackers to elevate their privileges to SYSTEM. This occurs because path redirection can occur via vectors involving directory junctions. **Recommendations** For versions prior to 2020-07-16, update to a version released after 2020-07-16 to resolve the issue. As a temporary workaround, consider restricting access to directory junctions to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Cisco Advanced Malware Protection (AMP) for Endpoints for Windows (affected versions not specified) Cisco Immunet for Windows (affected versions not specified) **Description** A vulnerability in the loading mechanism of specific DLLs could allow an authenticated, local attacker to perform a DLL hijacking attack. The attacker would need valid credentials on the Windows system to exploit this vulnerability, which is due to incorrect handling of directory search paths at run time. An attacker could exploit this vulnerability by placing a malicious DLL file on the targeted system, allowing the execution of arbitrary code on the targeted system with SYSTEM privileges. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** BitDefender GravityZone (affected versions not specified) **Description** The issue concerns the installer for BitDefender GravityZone, which relies on an encoded string in a filename to determine the URL for installation metadata. This allows remote attackers to execute arbitrary code by changing the filename while leaving the file's digital signature unchanged. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Sophos SafeGuard Enterprise versions prior to 8.00.5 Sophos SafeGuard Easy versions prior to 7.00.3 Sophos SafeGuard LAN Crypt versions prior to 3.95.2 **Description** The issue allows for Local Privilege Escalation via multiple IOCTLs. When certain conditions in the user-controlled input buffer are not met, the driver writes an error code to a user-controlled address. The IOCTLs use transfer type METHOD NEITHER, which means the I/O manager does not validate supplied pointers and buffer sizes. This allows for supplying a pointer for the output buffer to a kernel address space address, enabling modification of the SEP TOKEN PRIVILEGES structure to grant SE DEBUG NAME privilege. This privilege allows the exploit process to interact with higher privileged processes running as SYSTEM and execute code in their security context. **Recommendations** For Sophos SafeGuard Enterprise versions prior to 8.00.5, update to version 8.00.5 or later. For Sophos SafeGuard Easy versions prior to 7.00.3, update to version 7.00.3 or later. For Sophos SafeGuard LAN Crypt versions prior to 3.95.2, update to version 3.95.2 or later.

**Name of the Vulnerable Software and Affected Versions** Sophos SafeGuard Enterprise versions prior to 8.00.5 Sophos SafeGuard Easy versions prior to 7.00.3 Sophos SafeGuard LAN Crypt versions prior to 3.95.2 **Description** The issue allows for Local Privilege Escalation via IOCTL 0x80202014. By crafting an input buffer, an attacker can control the execution path, allowing them to write a constant value to a user-controlled address. This can be used to modify the `SEP TOKEN PRIVILEGES` structure of the Token object, granting the `SE DEBUG NAME` privilege. This privilege enables the exploit process to interact with higher-privileged processes running as SYSTEM and execute code in their security context. **Recommendations** For Sophos SafeGuard Enterprise versions prior to 8.00.5, update to version 8.00.5 or later. For Sophos SafeGuard Easy versions prior to 7.00.3, update to version 7.00.3 or later. For Sophos SafeGuard LAN Crypt versions prior to 3.95.2, update to version 3.95.2 or later.

**Name of the Vulnerable Software and Affected Versions** Sophos SafeGuard Enterprise versions prior to 8.00.5 Sophos SafeGuard Easy versions prior to 7.00.3 Sophos SafeGuard LAN Crypt versions prior to 3.95.2 **Description** The issue allows for Local Privilege Escalation via IOCTL 0x802022E0. By crafting an input buffer, an attacker can control the execution path, enabling the modification of the SEP TOKEN PRIVILEGES structure of the Token object. This modification grants the SE DEBUG NAME privilege, allowing the exploit process to interact with higher privileged processes running as SYSTEM and execute code in their security context. **Recommendations** For Sophos SafeGuard Enterprise versions prior to 8.00.5, update to version 8.00.5 or later. For Sophos SafeGuard Easy versions prior to 7.00.3, update to version 7.00.3 or later. For Sophos SafeGuard LAN Crypt versions prior to 3.95.2, update to version 3.95.2 or later.

**Name of the Vulnerable Software and Affected Versions** Sophos SafeGuard Enterprise versions prior to 8.00.5 Sophos SafeGuard Easy versions prior to 7.00.3 Sophos SafeGuard LAN Crypt versions prior to 3.95.2 **Description** The issue allows for Local Privilege Escalation via IOCTL 0x8020601C. By crafting an input buffer, an attacker can control the execution path to the point where a global variable will be written to a user-controlled address. This condition can be exploited to zero-out the pointer to the security descriptor in the object header of a privileged process or modify the security descriptor itself, allowing code to run in the context of a process running as SYSTEM. **Recommendations** For Sophos SafeGuard Enterprise versions prior to 8.00.5, update to version 8.00.5 or later. For Sophos SafeGuard Easy versions prior to 7.00.3, update to version 7.00.3 or later. For Sophos SafeGuard LAN Crypt versions prior to 3.95.2, update to version 3.95.2 or later.

**Name of the Vulnerable Software and Affected Versions** Sophos SafeGuard Enterprise versions prior to 8.00.5 Sophos SafeGuard Easy versions prior to 7.00.3 Sophos SafeGuard LAN Crypt versions prior to 3.95.2 **Description** The issue allows for Local Privilege Escalation via IOCTL 0x80206040. By crafting an input buffer, an attacker can control the execution path, allowing them to write a constant DWORD 0 to a user-controlled address. This can be exploited to zero-out the pointer to the security descriptor in the object header of a privileged process or modify the security descriptor itself, enabling the execution of code in the context of a process running as SYSTEM. **Recommendations** For Sophos SafeGuard Enterprise versions prior to 8.00.5, update to version 8.00.5 or later. For Sophos SafeGuard Easy versions prior to 7.00.3, update to version 7.00.3 or later. For Sophos SafeGuard LAN Crypt versions prior to 3.95.2, update to version 3.95.2 or later.

**Name of the Vulnerable Software and Affected Versions** Sophos SafeGuard Enterprise versions prior to 8.00.5 Sophos SafeGuard Easy versions prior to 7.00.3 Sophos SafeGuard LAN Crypt versions prior to 3.95.2 **Description** The issue allows for Local Privilege Escalation via IOCTL 0x80202298. By crafting an input buffer, an attacker can control the execution path to the point where the nt!memset function is called to zero out contents of a user-controlled address. This condition can be exploited to zero-out the pointer to the security descriptor in the object header of a privileged process or modify the security descriptor itself, allowing code to run in the context of a process running as SYSTEM. **Recommendations** For Sophos SafeGuard Enterprise versions prior to 8.00.5, update to version 8.00.5 or later. For Sophos SafeGuard Easy versions prior to 7.00.3, update to version 7.00.3 or later. For Sophos SafeGuard LAN Crypt versions prior to 3.95.2, update to version 3.95.2 or later.

**Name of the Vulnerable Software and Affected Versions** SafeNet Authentication Service for NPS Agent (affected versions not specified) **Description** The issue concerns a weak Access Control List (ACL) used by the SafeNet Authentication Service for NPS Agent for unspecified installation directories and executable modules. This weakness allows local users to gain privileges by modifying an executable module. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SafeNet Authentication Service for Citrix Web Interface Agent (affected versions not specified) **Description** The issue is related to a weak Access Control List (ACL) used by the SafeNet Authentication Service for Citrix Web Interface Agent for unspecified installation directories and executable modules. This weakness allows local users to gain privileges by modifying an executable module. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SafeNet Authentication Service for AD FS Agent (affected versions not specified) **Description** The issue concerns a weak Access Control List (ACL) used by the SafeNet Authentication Service for AD FS Agent for certain installation directories and executable modules. This weakness allows local users to elevate their privileges by modifying an executable module. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SafeNet Authentication Service Windows Logon Agent (affected versions not specified) **Description** The issue is related to a weak Access Control List (ACL) used by the SafeNet Authentication Service Windows Logon Agent for certain installation directories and executable modules. This weakness allows local users to elevate their privileges by modifying an executable module. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SafeNet Authentication Service Windows Logon Agent (affected versions not specified) **Description** The issue is related to a weak Access Control List (ACL) used by the SafeNet Authentication Service Windows Logon Agent for certain installation directories and executable modules. This weakness allows local users to elevate their privileges by modifying an executable module. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SafeNet Authentication Service End User Software Tools for Windows (affected versions not specified) **Description** The issue concerns a weak Access Control List (ACL) used by the software for certain installation directories and executable modules. This weakness allows local users to elevate their privileges by modifying an executable module. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SafeNet Authentication Service TokenValidator Proxy Agent (affected versions not specified) **Description** The issue concerns a weak Access Control List (ACL) used by the SafeNet Authentication Service TokenValidator Proxy Agent for certain installation directories and executable modules. This weakness allows local users to elevate their privileges by modifying an executable module. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SafeNet Authentication Service for Outlook Web App Agent (affected versions not specified) **Description** The issue concerns a weak Access Control List (ACL) used by the SafeNet Authentication Service for Outlook Web App Agent for certain installation directories and executable modules. This weakness allows local users to elevate their privileges by modifying an executable module. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Carbon Black version 5.1.1.60603 **Description** The issue allows local users with admin privileges to cause a denial of service, resulting in an out-of-bounds read and system crash. This is achieved via a large counter value in an IOCTL call, specifically the 0x62430028 call. **Recommendations** For Carbon Black version 5.1.1.60603, consider restricting access to the cbstream.sys driver to minimize the risk of exploitation. As a temporary workaround, avoid using large counter values in the 0x62430028 IOCTL call until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.