A Cisco Talos researcher discovered this vulnerability. Blog by Jon Munshaw.
Cisco Talos researchers recently discovered that a specific driver in the SoftPerfect RAM disk could allow an adversary to delete files on an arbitrary basis and disclose sensitive information. SoftPerfect
RAM Disk is a high-performance RAM disk application that allows the user to store a disk from their computer on the device’s space. An attacker could exploit TALOS-2020-1121 to point to a specific filepath and then delete that file. The other vulnerability could lead to the disclosure of sensitive information.
In accordance with our coordinated disclosure policy, Cisco Talos worked with SoftPerfect to ensure that these issues are resolved and that an update is available for affected customers.
Vulnerability details
SoftPerfect RAM Disk spvve.sys 0x222004 arbitrary file deletion vulnerability (TALOS-2020-1121/CVE-2020-13522)
An exploitable arbitrary file delete vulnerability exists in SoftPerfect RAM Disk 4.1 spvve.sys driver. A specially crafted I/O request packet (IRP) can allow an unprivileged user to delete any file on the filesystem. An attacker can send a malicious IRP to trigger this vulnerability. Read the complete vulnerability advisory here for additional information.
SoftPerfect RAM Disk spvve.sys 0x222024 information disclosure vulnerability (TALOS-2020-1122/CVE-2020-13523)
An exploitable information disclosure vulnerability exists in SoftPerfect's RAM Disk 4.1 spvve.sys driver. A specially crafted I/O request packet (IRP) can cause the disclosure of sensitive information. An attacker can send a malicious IRP to trigger this vulnerability. Read the complete vulnerability advisory here for additional information.
Versions tested Talos tested and confirmed that this vulnerability affects SoftPerfect RAM disk, version 4.1
Coverage The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.
Snort Rules: 54581, 54582