Vulnerability Spotlight : Multiple Vulnerabilities in WIBU-SYSTEMS WibuKey.sys

TalosIntelligence

Security / TalosIntelligence 142 Views 0



These vulnerabilities were discovered by Marcin 'Icewall' Noga of Cisco Talos.

Executive Summary


WibuKey is a Digital Rights Management (DRM) solution that has been used in a large number of solutions such as Straton, Archicad, GRAPHISOFT, V-Ray and others. It has been leveraged by over 3,000 companies around the world to protect intellectual property and other digital content. Cisco Talos recently discovered multiple vulnerabilities in WibuKey that could be leveraged by an attacker to disclose potentially sensitive information, perform privilege escalation, or obtain arbitrary code execution on affected systems.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Wibu Systems to ensure that these issues are resolved and that a software update is available for affected customers. It is recommended that this update be applied as quickly as possible to ensure that systems are no longer affected by these vulnerabilities.


Vulnerability details


WIBU-SYSTEMS WibuKey.sys 0x8200E804 Kernel Memory Information Disclosure Vulnerability (TALOS-2018-0657 / CVE-2018-3989)


An exploitable kernel memory disclosure vulnerability exists in the 0x8200E804 IOCTL handler functionality of WIBU-SYSTEMS WibuKey.sys Version 6.40 (Build 2400). A specially crafted IRP request can cause the driver to return uninitialized memory, resulting in kernel memory disclosure. For additional details, please see the advisory here.

WIBU-SYSTEMS WibuKey.sys 0x8200E804 Pool Corruption Privilege Escalation Vulnerability (TALOS-2018-0658 / CVE-2018-3990)


An exploitable pool corruption vulnerability exists in the 0x8200E804 IOCTL handler functionality of WIBU-SYSTEMS WibuKey.sys Version 6.40 (Build 2400). A specially crafted IRP request can cause a buffer overflow, resulting in kernel memory corruption. For additional details, please see the advisory here.

WIBU-SYSTEMS WibuKey Network Server Management WkbProgramLow Remote Code Execution Vulnerability (TALOS-2018-0659 / CVE-2018-3991)


An especially critical exploitable heap overflow vulnerability exists in the WkbProgramLow function of WibuKey Network server management. A specially crafted TCP package can cause heap overflow and allow for remote kernel level code execution. For additional details, please see the advisory here.

Versions tested


WIBU-SYSTEMS WibuKey Network server management 6.40.2402.500





Coverage&


The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules: 47729, 47750-47751

Comments