Main Vulnerability Database SB2018042102

SB2018042102 - Security restrictions bypass in 7-zip

Published: April 21, 2018 Updated: December 27, 2021

Security Bulletin ID SB2018042102

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Local access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Security restrictions bypass (CVE-ID: CVE-2018-10172)

The vulnerability allows a local attacker to bypass security restrictions on the target system.

The weakness exists due to improper security restrictions when using the large memory pages option. When using this option, the SeLockMemoryPrivilege privilege is added to the current user account using the LsaAddAccountRights function, which allows other applications on the system access to that privilege. A local attacker can execute an application on the system, which can run with SeLockMemoryPrivilege privileges, and bypass access restrictions.

Remediation

Install update from vendor's website.

References

https://sourceforge.net/p/sevenzip/discussion/45797/thread/e730c709/?limit=25&page=1#b240