CVE-2021-31727

Name of the Vulnerable Software and Affected Versions MalwareFox AntiMalware version 2.74.0.150

Description The issue is related to incorrect access control in the zam64.sys and zam32.sys drivers of MalwareFox AntiMalware, allowing a non-privileged process to escalate privileges. This can be achieved by opening a handle to .ZemanaAntiMalware, registering with the driver using IOCTL 0x80002010, and then sending specific IOCTLs (0x80002014 and 0x80002018) that expose unrestricted disk read/write capabilities. An attacker can exploit this to overwrite the boot sector or critical code in the pagefile, thus gaining elevated privileges.

Recommendations For MalwareFox AntiMalware version 2.74.0.150, consider disabling the IOCTL 0x80002010 registration functionality and restrict access to the zam64.sys and zam32.sys drivers as a temporary workaround to minimize the risk of exploitation. Additionally, avoid using the IOCTLs 0x80002014 and 0x80002018 in the affected driver until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.