Two security issues in Sophos' malware detection and protection utility HitmanPro.Alert could allow potential attackers to gain elevated privileges, execute code remotely, and read kernel memory contents on targeted machines, as disclosed by Cisco Talos's Marcin Noga.
Both vulnerabilities affect HitmanPro.Alert versions prior to and including the 184.108.40.2064 andhave been patched by Sophos on September 17 following Cisco Talos's initial disclosure on July 23, and have now been publicly disclosed.
The CVE-2018-3971 privilege escalation vulnerability affects the IOCTL-handler function of Sophos's HitmanPro.Alert anti-malware solution, and it allows any system user to write to memory by sending a maliciously crafted IRP request targeting the hmpalert device.
Following the successful exploitation of this security issue, the attacker can take advantage of a memory corruption state to "gain arbitrary code execution and privilege escalation."
Cisco Talos also released a Proof of concept (PoC) designed to demonstrate how the vulnerability can be exploited.
The security issues affecting HitmanPro.Alert's input/output control (IOCTL) message handler have been patched on September 17
The CVE-2018-3970 memory disclosure vulnerability, just like the previous one, resides in the IOCTL handler functionality of Sophos HitmanPro, exploitable using a specially devised IOCTL request any system user can send to the hmpalert device.
"A specially crafted IRP request can cause the driver to return uninitialized memory, resulting in kernel memory disclosure," says Cisco Talos' advisory. "An attacker can send an IRP request to trigger this vulnerability."
After the security issue is exploited, a potential attacker will receive privileged kernel memory contents, five bytes of leaked kernel memory to be more exact.
This second security bug also comes with its own PoC published by Marcin Noga of Cisco Talos, the researcher who found the two vulnerabilities.
The Sophos HitmanPro.Alert kernel memory disclosure and RCE/privilege escalation vulnerabilities have been patched, and all users are advised to update the software to the latest available release.