Multiple vulnerabilities in Sophos HitmanPro.Alert
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2018-3970 CVE-2018-3971 |
| CWE-ID | CWE-200 CWE-123 |
| Exploitation vector | Local |
| Public exploit | N/A |
| Vulnerable software Subscribe |
HitmanPro.Alert Client/Desktop applications / Antivirus software/Personal firewalls |
| Vendor | Sophos |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Information disclosure
EUVDB-ID: #VU36480
Risk: Low
CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-3970
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a local authenticated user to gain access to sensitive information.
An exploitable memory disclosure vulnerability exists in the 0x222000 IOCTL handler functionality of Sophos HitmanPro.Alert 3.7.6.744. A specially crafted IRP request can cause the driver to return uninitialized memory, resulting in kernel memory disclosure. An attacker can send an IRP request to trigger this vulnerability.
MitigationInstall update from vendor's website.
Vulnerable software versionsHitmanPro.Alert: 3.7.6.744
External linkshttp://www.securityfocus.com/bid/105743
http://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0635
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Write-what-where Condition
EUVDB-ID: #VU36481
Risk: Low
CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-3971
CWE-ID:
CWE-123 - Write-what-where Condition
Exploit availability: No
DescriptionThe vulnerability allows a local authenticated user to execute arbitrary code.
An exploitable arbitrary write vulnerability exists in the 0x2222CC IOCTL handler functionality of Sophos HitmanPro.Alert 3.7.6.744. A specially crafted IRP request can cause the driver to write data under controlled by an attacker address, resulting in memory corruption. An attacker can send IRP request to trigger this vulnerability.
MitigationInstall update from vendor's website.
Vulnerable software versionsHitmanPro.Alert: 3.7.6.744
External linkshttp://www.securityfocus.com/bid/105743
http://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0636
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
