SB2018030105 - Privilege escalation in Macrovision SafeDisc driver for Windows

Description

This security bulletin contains information about 2 vulnerabilities.

1) Information disclosure (CVE-ID: CVE-2018-7250)

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Clear

The vulnerability allows a local attacker to obtain potentially sensitive information.

The vulnerability exists due to uninitialized kernel pool allocation in IOCTL 0xCA002813 in secdrv.sys in Macrovision SafeDisc. A local attacker can send a specially-crafted request and obtain 16 bits of uninitialized kernel PagedPool data.

2) Privilege escalation (CVE-ID: CVE-2018-7249)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Clear

The vulnerability allows a local attacker to gain elevated privileges on the target system.

The vulnerability exists due to use-after-free flaw in secdrv.sys in Macrovision SafeDisc. A local attacker can send two carefully timed calls to IOCTL 0xCA002813, trigger race condition and memory corruption and execute arbitrary code with system privileges.

Remediation

Install update from vendor's website.

References

• https://github.com/Elvin9/SecDrvPoolLeak/blob/master/README.md
• https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2015/ms15-097
• https://github.com/Elvin9/NotSecDrv