CVE-2021-31728

Name of the Vulnerable Software and Affected Versions MalwareFox AntiMalware versions 2.74.0.150

Description The issue is related to insufficient access control in the zam64.sys and zam32.sys drivers of MalwareFox AntiMalware, allowing a non-privileged process to elevate its privileges. This can be achieved by opening a handle to .ZemanaAntiMalware, registering with the driver, allocating executable memory, installing a hook, and executing the memory using the hook. This exposes ring 0 code execution in the context of the driver, enabling the non-privileged process to elevate privileges.

Recommendations For MalwareFox AntiMalware version 2.74.0.150, consider disabling the vulnerable drivers zam64.sys and zam32.sys as a temporary workaround until a patch is available. Restrict access to the driver's handle .ZemanaAntiMalware to minimize the risk of exploitation. Avoid using the IOCTL codes 0x80002010, 0x80002040, 0x80002044, 0x80002014, and 0x80002018 in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.