CVSS: 7.8EPSS: 0%CPEs: 13EXPL: 1CVE-2018-6852
https://notcve.org/view.php?id=CVE-2018-6852
Sophos SafeGuard Enterprise before 8.00.5, SafeGuard Easy before 7.00.3, and SafeGuard LAN Crypt before 3.95.2 are vulnerable to Local Privilege Escalation via IOCTL 0x80202298. By crafting an input buffer we can control the execution path to the point where the nt!memset function is called to zero out contents of a user-controlled address. We can take advantage of this condition to zero-out the pointer to the security descriptor in the object header of a privileged process or modify the security descriptor itself and run code in the context of a process running as SYSTEM. Sophos SafeGuard Enterprise en versiones anteriores a la 8.00.5, SafeGuard Easy en versiones anteriores a la 7.00.3, y SafeGuard LAN Crypt en versiones anteriores a la 3.95.2 son vulnerables a una escalada de privilegios local mediante IOCTL 0x80202298. • http://seclists.org/fulldisclosure/2018/Jul/20 https://community.sophos.com/kb/en-us/131934 https://labs.nettitude.com/blog/cve-2018-6851-to-cve-2018-6857-sophos-privilege-escalation-vulnerabilities • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2016-8732
https://notcve.org/view.php?id=CVE-2016-8732
Multiple security flaws exists in InvProtectDrv.sys which is a part of Invincea Dell Protected Workspace 5.1.1-22303. Weak restrictions on the driver communication channel and additional insufficient checks allow any application to turn off some of the protection mechanisms provided by the Invincea product. Existen múltiples fallos de seguridad en InvProtectDrv.sys, que forma parte de Invincea Dell Protected Workspace 5.1.1-22303. Las restricciones débiles en el canal de comunicaciones del controlador y las comprobaciones adicionales insuficientes permiten que cualquier aplicación desactive algunos de los mecanismos de protección proporcionados por el producto Invincea. • http://www.securityfocus.com/bid/99360 https://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0246 • CWE-275: Permission Issues •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2016-9038
https://notcve.org/view.php?id=CVE-2016-9038
An exploitable double fetch vulnerability exists in the SboxDrv.sys driver functionality of Invincea-X 6.1.3-24058. A specially crafted input buffer and race condition can result in kernel memory corruption, which could result in privilege escalation. An attacker needs to execute a special application locally to trigger this vulnerability. Existe una vulnerabilidad explotable de doble captura en la funcionalidad del controlador SboxDrv.sys de Invincea-X 6.1.3-24058. Un búfer de entrada especialmente manipulado y una condición de carrera pueden resultar en la corrupción de la memoria del kernel y en el escalado de privilegios. • http://www.securityfocus.com/bid/99360 https://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0256 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 3CVE-2018-9233 – Sophos Endpoint Protection Control Panel 10.7 - Weak Password Encryption
https://notcve.org/view.php?id=CVE-2018-9233
Sophos Endpoint Protection 10.7 uses an unsalted SHA-1 hash for password storage in %PROGRAMDATA%\Sophos\Sophos Anti-Virus\Config\machine.xml, which makes it easier for attackers to determine a cleartext password, and subsequently choose unsafe malware settings, via rainbow tables or other approaches. Sophos Endpoint Protection 10.7 emplea un hash SHA-1 sin sal para almacenar contraseñas en %PROGRAMDATA%\Sophos\Sophos Anti-Virus\Config\machine.xml. Esto facilita que los atacantes determinen una contraseña en texto claro y, por lo tanto, elijan configuraciones para malware inseguras mediante tablas rainbow u otros métodos. Sophos Endpoint Protection version 10.7 control panel authentication uses a weak unsalted unicoded cryptographic hash (SHA1) function. Not using a salt allows attackers that gain access to hash ability to conduct faster cracking attacks using pre-computed dictionaries, e.g. rainbow tables. • https://www.exploit-db.com/exploits/44411 http://hyp3rlinx.altervista.org/advisories/SOPHOS-ENDPOINT-PROTECTION-CONTROL-PANEL-v10.7-INSECURE-CRYPTO-CVE-2018-9233.txt http://seclists.org/fulldisclosure/2018/Apr/7 • CWE-916: Use of Password Hash With Insufficient Computational Effort •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 3CVE-2018-4863 – Sophos Endpoint Protection 10.7 - Tamper-Protection Bypass
https://notcve.org/view.php?id=CVE-2018-4863
Sophos Endpoint Protection 10.7 allows local users to bypass an intended tamper protection mechanism by deleting the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Sophos Endpoint Defense\ registry key. Sophos Endpoint Protection 10.7 permite que usuarios locales omitan un mecanismo de protección contra manipulaciones mediante la eliminación de la clave de registro HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Sophos Endpoint Defense\. Sophos Endpoint Protection version 10.7 suffers from a tamper protection bypass vulnerability. • https://www.exploit-db.com/exploits/44410 http://hyp3rlinx.altervista.org/advisories/SOPHOS-ENDPOINT-PROTECTION-v10.7-TAMPER-PROTECTION-BYPASS-CVE-2018-4863.txt http://seclists.org/fulldisclosure/2018/Apr/6 • CWE-254: 7PK - Security Features •