Severity: High

  • Zemana AntiMalware (zamguard64.sys, zamguard32.sys) v. <= 3.2.28
  • Zemana AntiLogger (zam64.sys, zam32.sys) v. <= 2.74.204.664

are affected by an Incorrect Access Control vulnerability where IOCTLs 0x8000204C allow a non-privileged user to open a handle to any privileged process running on the machine. A non-privileged user can open a handle to the \.\ZemanaAntiMalware device, register within the driver using IOCTL 0x80002010 and send the IOCTL mentioned above to get a handle to any privileged process. Attackers could exploit this issue by injecting arbitrary code in the context of the privileged process to achieve local privilege escalation in the context of NT AUTHORITY\SYSTEM.

Root Cause Analysis

Severity: High

  • Zemana AntiMalware (zamguard64.sys, zamguard32.sys) v. <= 3.2.28
  • Zemana AntiLogger (zam64.sys, zam32.sys) v. <= 2.74.204.664

are affected by an Incorrect Access Control vulnerability where IOCTLs 0x80002014 and 0x80002018 respectively grant unrestricted disk read/write capabilities. A non-privileged user can open a handle to the \.\ZemanaAntiMalware device, register within the driver using IOCTL 0x80002010 and send the IOCTLs mentioned above to disclose sensitive files on the system or escalate privileges by overwriting the boot sector or critical code in the pagefile

Root Cause Analysis

Severity: High

Wowza Streaming Engine v.<= 4.8.16+1 (build 20211129092949) is vulnerable to the Log4j JNDI injection, affecting the 'j_username' username field, in the login page as well as other HTTP headers. Attackers exploiting this issue will be able to achieve remote code execution (RCE) in the context of the NT AUTHORITY\SYSTEM Windows user managing the service.
All vendors affected by the Log4j vulnerability must use the CVE-2021-44228 when referring to this vulnerability in their own products. At present, MITRE does not offer an option for a vendor to associate its own unique CVE ID with this same underlying vulnerability.

Severity: High

Micro-Star International (MSICenter Pro v. <= 2.0.16.0 is vulnerable to multiple Privilege Escalation (LPE/EoP) vulnerabilities in the following drivers components:

  • atidgllk.sys - D299A2420F92A1F0150265F26D496AE587A681DA
  • atillk64.sys - C52CEF5B9E1D4A78431B7AF56A6FDB6AA1BCAD65
  • MODAPI.sys/WinRing0x64.sys - D25340AE8E92A6D29F599FEF426A2BC1B5217299
  • NTIOLib.sys - CFD03C6FA17F369E5D7286D1B8A97C49DDAE93A3
  • NTIOLib.sys - FC639CC99362DF79D7AAC31057740C515205A6C4
  • NTIOLib.sys - 4C9691E9B87DC84619E30C6EB21256369EFB8996
  • NTIOLib_X64.sys - 9F31AD3DBA608773EBE62962D654508D7787FF08
  • NTIOLib_X64.sys - DB4C5957DBDA3D3691AA1E393D1F63AD0B049DF5
  • NTIOLib_X64.sys - AD31989CC268ABF8CB36BF44C2087AA761F30F3E
  • WinRing0.sys - 8AC34EB21B9B38F67CD29684C45696C20AB2E75A

All the vulnerabilities are triggered by sending specific IOCTL requests and will allow to:

  • Directly interact with physical memory via the MmMapIoSpace function call, mapping physical memory into a virtual address user-space.
  • Read/write Model-Specific Registers (MSRs) via the __readmsr/__writemsr functions calls.
  • Read/write 1/2/4 bytes to or from an IO port.

Attackers could exploit these issues to achieve local privilege escalation from low-privileged users to NT AUTHORITY\SYSTEM.

Root Cause Analysis

Severity: High

Micro-Star International (MSI) Center v. <= 1.0.31.0 is vulnerable to multiple Privilege Escalation (LPE/EoP) vulnerabilities in the following drivers components:

  • atidgllk.sys - D299A2420F92A1F0150265F26D496AE587A681DA
  • atillk64.sys - C52CEF5B9E1D4A78431B7AF56A6FDB6AA1BCAD65
  • MODAPI.sys/WinRing0x64.sys - D25340AE8E92A6D29F599FEF426A2BC1B5217299
  • NTIOLib.sys - CFD03C6FA17F369E5D7286D1B8A97C49DDAE93A3
  • NTIOLib.sys - FC639CC99362DF79D7AAC31057740C515205A6C4
  • NTIOLib.sys - 4C9691E9B87DC84619E30C6EB21256369EFB8996
  • NTIOLib_X64.sys - 9F31AD3DBA608773EBE62962D654508D7787FF08
  • NTIOLib_X64.sys - DB4C5957DBDA3D3691AA1E393D1F63AD0B049DF5
  • NTIOLib_X64.sys - AD31989CC268ABF8CB36BF44C2087AA761F30F3E
  • WinRing0.sys - 8AC34EB21B9B38F67CD29684C45696C20AB2E75A

All the vulnerabilities are triggered by sending specific IOCTL requests and will allow to:

  • Directly interact with physical memory via the MmMapIoSpace function call, mapping physical memory into a virtual address user-space.
  • Read/write Model-Specific Registers (MSRs) via the __readmsr/__writemsr functions calls.
  • Read/write 1/2/4 bytes to or from an IO port.

Attackers could exploit these issues to achieve local privilege escalation from low-privileged users to NT AUTHORITY\SYSTEM.

Root Cause Analysis

Severity: High

Micro-Star International (MSIDragon Center v. <= 2.0.116.0 is vulnerable to multiple Privilege Escalation (LPE/EoP) vulnerabilities in the following drivers components:

  • atidgllk.sys - D299A2420F92A1F0150265F26D496AE587A681DA
  • atillk64.sys - C52CEF5B9E1D4A78431B7AF56A6FDB6AA1BCAD65
  • MODAPI.sys/WinRing0x64.sys - D25340AE8E92A6D29F599FEF426A2BC1B5217299
  • NTIOLib.sys - CFD03C6FA17F369E5D7286D1B8A97C49DDAE93A3
  • NTIOLib.sys - FC639CC99362DF79D7AAC31057740C515205A6C4
  • NTIOLib.sys - 4C9691E9B87DC84619E30C6EB21256369EFB8996
  • NTIOLib_X64.sys - 9F31AD3DBA608773EBE62962D654508D7787FF08
  • NTIOLib_X64.sys - DB4C5957DBDA3D3691AA1E393D1F63AD0B049DF5
  • NTIOLib_X64.sys - AD31989CC268ABF8CB36BF44C2087AA761F30F3E
  • WinRing0.sys - 8AC34EB21B9B38F67CD29684C45696C20AB2E75A

All the vulnerabilities are triggered by sending specific IOCTL requests and will allow to:

  • Directly interact with physical memory via the MmMapIoSpace function call, mapping physical memory into a virtual address user-space.
  • Read/write Model-Specific Registers (MSRs) via the __readmsr/__writemsr functions calls.
  • Read/write 1/2/4 bytes to or from an IO port.

Attackers could exploit these issues to achieve local privilege escalation from low-privileged users to NT AUTHORITY\SYSTEM.

Root Cause Analysis

Severity: High

Micro-Star International (MSI) App Player v. <= 4.280.1.6309 is vulnerable to multiple Privilege Escalation (LPE/EoP) vulnerabilities in the following driver component:

  • NTIOLib_X64.sys - AE3763CBBD21F6E561AC502D2EE7FE8EDFB2292D

All the vulnerabilities are triggered by sending specific IOCTL requests and will allow to:

  • Directly interact with physical memory via the MmMapIoSpace function call, mapping physical memory into a virtual address user-space.
  • Read/write Model-Specific Registers (MSRs) via the __readmsr/__writemsr functions calls.

Attackers could exploit these issues to achieve local privilege escalation from low-privileged users to NT AUTHORITY\SYSTEM.

Root Cause Analysis

Severity: High

Crucial by Micron Technology, Inc Ballistix MOD Utility v.<= 2.0.2.5 is vulnerable to multiple Privilege Escalation (LPE/EoP) vulnerabilities in the MODAPI.sys driver component.

All the vulnerabilities are triggered by sending specific IOCTL requests and will allow to:

  • Directly interact with physical memory via the MmMapIoSpace function call, mapping physical memory into a virtual address user-space.
  • Read/write Model-Specific Registers (MSRs) via the __readmsr/__writemsr functions calls.
  • Read/write 1/2/4 bytes to or from an IO port.

Attackers could exploit these issues to achieve local privilege escalation from low-privileged users to NT AUTHORITY\SYSTEM.

Root Cause Analysis

Severity: High

NVIDIA GeForce Experience (GFE) v.<= 3.21 is affected by an Arbitrary File Write vulnerability in the GameStream/ShadowPlay plugins, where log files are created using NT AUTHORITY\SYSTEM level permissions, which lead to Command Execution and Elevation of Privileges (EoP).

Root Cause Analysis

Severity: High

FastStone Image Viewer v.<= 7.5 is affected by a user mode Write Access Violation at 0x00402d7d, triggered when a user opens or views a malformed CUR file that is mishandled by FSViewer.exe. Attackers could exploit this issue for a Denial of Service (DoS) or possibly to achieve code execution.