Marcin Noga of Cisco Talos discovered this vulnerability.
Cisco Talos is disclosing two vulnerabilities in Sophos HitmanPro.Alert, a malware detection and protection tool. Both vulnerabilities lie in the input/output control (IOCTL) message handler. One could allow an attacker to read kernel memory contents, while the other allows code execution and privilege escalation. Both vulnerabilities were patched by Sophos in version 3.7.9.759.
TALOS-2018-0635 (CVE-2018-3970) - HitmanPro.Alert hmpalert Kernel Memory Disclosure Vulnerability.
An exploitable memory disclosure vulnerability exists in the IOCTL-handler function of Sophos HitmanPro.Alert, version 3.7.6.744. A specially crafted IOCTL request sent by any user on the system to the hmpalert device results in the contents from the privileged kernel memory returning to the user. You can read the full details of the vulnerability here.
TALOS-2018-0636 (CVE-2018-3971) -HitmanPro.Alert hmpalert Privilege Escalation Vulnerability
An additional exploitable vulnerability also exists in the IOCTL-handler function of Sophos HitmanPro.Alert, version 3.7.6.744. Similar to the vulnerability described above, any user on the system can send a specially crafted IOCTL request to the hmpalert device that allows the user to write to memory, resulting in remote code execution and privilege escalation. You can read the full details of the vulnerability here.
The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date, and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.
Snort Rule: 47295-47296
To review our Vulnerability Disclosure Policy, please visit this site.