Marcin Noga of Cisco Talos discovered this vulnerability.

Overview

Cisco Talos is disclosing an information leak vulnerability in the ccSetx86.sys kernel driver of Symantec Endpoint Protection Small Business Edition. The vulnerability exists in the driver’s control message handler. An attacker can send specially crafted requests to cause the driver to return uninitialized chunks of kernel memory, potentially leaking sensitive information, such as privileged tokens or kernel memory addresses that may be used to bypass kernel security mitigations. An unprivileged user can run a program from user mode to trigger this vulnerability.

In accordance with our coordinated disclosure policy, Talos worked with Symantec to ensure that a patch is available for this vulnerability.

Vulnerability Details

Symantec Endpoint Protection Small Business Edition ccSetx86.sys 0x224844 kernel memory information disclosure vulnerability (TALOS-2018-0693/CVE-2018-18366)

The kernel memory leak is located in the IOCTL handler for the `0x224844` control code of the driver version 16.0.0.77. An attacker could trigger this vulnerability by sending malicious IOCTL requests to the ccSet_{F7A725B7-8267-494C-9647-F4FC1D53C6A3} device. The default access control for the device allows any user on the system to send IOCTL requests to the driver.

A full technical advisory, including proof of concept code, is available here.

Coverage

The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date, and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules: 48209, 48210