CVE-2018-3971 - OpenCVE

An exploitable arbitrary write vulnerability exists in the 0x2222CC IOCTL handler functionality of Sophos HitmanPro.Alert 3.7.6.744. A specially crafted IRP request can cause the driver to write data under controlled by an attacker address, resulting in memory corruption. An attacker can send IRP request to trigger this vulnerability.

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:L/AC:L/Au:N/C:C/I:C/A:C

Vendors & Products
CPE Configurations

Vendors	Products
Sophos	Hitmanpro.alert

Configuration 1 [-]

cpe:2.3:a:sophos:hitmanpro.alert:3.7.6.744:*:*:*:*:*:*:*

References

Link	Resource
http://www.securityfocus.com/bid/105743	Broken Link Third Party Advisory VDB Entry
https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0636	Exploit Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: talos

Published: 2018-10-25T00:00:00

Updated: 2022-04-19T18:07:14

Reserved: 2018-01-02T00:00:00

Link: CVE-2018-3971

JSON object: View

NVD Information

Status : Analyzed

Published: 2018-10-25T18:29:00.427

Modified: 2023-02-02T13:43:23.640

Link: CVE-2018-3971

JSON object: View

Redhat Information

No data.

CWE

CWE-123

{"containers": {"cna": {"affected": [{"product": "Sophos", "vendor": "Talos", "versions": [{"status": "affected", "version": "Sophos HitmanPro.Alert - hmpalert.sys 3.7.6.744 - Windows 7 x86"}]}], "datePublic": "2018-10-25T00:00:00", "descriptions": [{"lang": "en", "value": "An exploitable arbitrary write vulnerability exists in the 0x2222CC IOCTL handler functionality of Sophos HitmanPro.Alert 3.7.6.744. A specially crafted IRP request can cause the driver to write data under controlled by an attacker address, resulting in memory corruption. An attacker can send IRP request to trigger this vulnerability."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"description": "write-what-where condition", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-04-19T18:07:14", "orgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b", "shortName": "talos"}, "references": [{"name": "105743", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/105743"}, {"tags": ["x_refsource_MISC"], "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0636"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "talos-cna@cisco.com", "DATE_PUBLIC": "2018-10-25T00:00:00", "ID": "CVE-2018-3971", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Sophos", "version": {"version_data": [{"version_value": "Sophos HitmanPro.Alert - hmpalert.sys 3.7.6.744 - Windows 7 x86"}]}}]}, "vendor_name": "Talos"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An exploitable arbitrary write vulnerability exists in the 0x2222CC IOCTL handler functionality of Sophos HitmanPro.Alert 3.7.6.744. A specially crafted IRP request can cause the driver to write data under controlled by an attacker address, resulting in memory corruption. An attacker can send IRP request to trigger this vulnerability."}]}, "impact": {"cvss": {"baseScore": 9.3, "baseSeverity": "Critical", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "write-what-where condition"}]}]}, "references": {"reference_data": [{"name": "105743", "refsource": "BID", "url": "http://www.securityfocus.com/bid/105743"}, {"name": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0636", "refsource": "MISC", "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0636"}]}}}}, "cveMetadata": {"assignerOrgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b", "assignerShortName": "talos", "cveId": "CVE-2018-3971", "datePublished": "2018-10-25T00:00:00", "dateReserved": "2018-01-02T00:00:00", "dateUpdated": "2022-04-19T18:07:14", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sophos:hitmanpro.alert:3.7.6.744:*:*:*:*:*:*:*", "matchCriteriaId": "E84ED4F7-9CBE-4E15-B862-7E64A2F6922D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An exploitable arbitrary write vulnerability exists in the 0x2222CC IOCTL handler functionality of Sophos HitmanPro.Alert 3.7.6.744. A specially crafted IRP request can cause the driver to write data under controlled by an attacker address, resulting in memory corruption. An attacker can send IRP request to trigger this vulnerability."}, {"lang": "es", "value": "Existe una vulnerabilidad explotable de escritura arbitraria en la funcionalidad de manejo de llamadas IOCTL 0x2222CC de Sophos HitmanPro.Alert 3.7.6.744. Una petici\u00f3n IRP especialmente manipulada puede provocar que el controlador escriba datos en una direcci\u00f3n controlada por un atacante, lo que resulta en una corrupci\u00f3n de memoria. Un atacante puede enviar una petici\u00f3n IRP para provocar esta vulnerabilidad."}], "id": "CVE-2018-3971", "lastModified": "2023-02-02T13:43:23.640", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 7.2, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.5, "impactScore": 6.0, "source": "talos-cna@cisco.com", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-10-25T18:29:00.427", "references": [{"source": "talos-cna@cisco.com", "tags": ["Broken Link", "Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/105743"}, {"source": "talos-cna@cisco.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0636"}], "sourceIdentifier": "talos-cna@cisco.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-123"}], "source": "nvd@nist.gov", "type": "Primary"}]}