Wednesday, 13 September 2017

On 16:24 by admin in    No comments
A vulnerability classified as problematic was found in Sophos SurfRight HitmanPro up to 3.7. This vulnerability affects an unknown function of the component Driver. The manipulation with an unknown input leads to a information disclosure vulnerability (Kernel Memory). The CWE definition for the vulnerability is CWE-200. As an impact it is known to affect confidentiality.

The weakness was disclosed 09/13/2017. This vulnerability was named CVE-2017-7441 since 04/05/2017. The attack needs to be approached locally. A single authentication is required for exploitation. There are neither technical details nor an exploit publicly available.

Upgrading to version 3.7.20 Build 286 eliminates this vulnerability.

CVSSv3

VulDB Base Score3.3
VulDB Temp Score3.2
VulDB VectorCVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:X/RL:O/RC:X
VulDB Reliability: High

CVSSv2

VectorComplexityAuthenticationConfidentialityIntegrityAvailability
LocalHighMultipleNoneNoneNone
AdjacentMediumSinglePartialPartialPartial
NetworkLowNoneCompleteCompleteComplete
VulDB Base Score1.5 (CVSS2#AV:L/AC:M/Au:S/C:P/I:N/A:N)
VulDB Temp Score1.3 (CVSS2#E:ND/RL:OF/RC:ND)
VulDB Reliability: High

CPE

  • cpe:/a:sophos:surfright_hitmanpro:3.0
  • cpe:/a:sophos:surfright_hitmanpro:3.1
  • cpe:/a:sophos:surfright_hitmanpro:3.2
  • cpe:/a:sophos:surfright_hitmanpro:3.3
  • cpe:/a:sophos:surfright_hitmanpro:3.4
  • cpe:/a:sophos:surfright_hitmanpro:3.5
  • cpe:/a:sophos:surfright_hitmanpro:3.6
  • cpe:/a:sophos:surfright_hitmanpro:3.7

Exploiting

Class: Information disclosure / Kernel Memory (CWE-200)
Local: Yes
Remote: No

Availability: No

Price Prediction: steady
Current Price Estimation

0-Day$0-$5k$5k-$25k$25k-$100k$100k-$500k
Today$0-$5k$5k-$25k$25k-$100k$100k-$500k


Countermeasures

Recommended: Upgrade
Status: Official fix
0-Day Time: 0 days since found

Upgrade: SurfRight HitmanPro 3.7.20 Build 286

Timeline

04/05/2017   CVE assigned
09/13/2017  +161 days Advisory disclosed
09/13/2017  +0 days VulDB entry created
09/13/2017  +0 days VulDB last update

Sources


CVE: CVE-2017-7441 (mitre.org) (nvd.nist.org) (cvedetails.com)

0 comments:

Post a Comment