Vulnerability Spotlight: Multiple WIBU SYSTEMS WubiKey vulnerabilities

TalosIntelligence

Security / TalosIntelligence 103 Views 0


Marcin "Icewall" Noga of Cisco Talos discovered these vulnerabilities.

Executive Summary


Cisco Talos discovered two vulnerabilities that could allow remote code execution and memory disclosure at the kernel level in WIBU-SYSTEMS WibuKey. WibuKey is a USB key designed to protect software and intellectual properties. It allows the users to manage software license via USB key. A third vulnerability is located in userland and can be triggered remotely, as it's located in the network manager.

In accordance with our coordinated disclosure policy, Talos worked with WIBU SYSTEMS to ensure that these issues are resolved and that an update is available for affected customers.



Vulnerabilities Details


WIBU-SYSTEMS network server management remote code execution vulnerability (TALOS-2018-0659/CVE-2018-3991)


This vulnerability is a heap overflow vulnerability located in the WIBU-SYSTEMS WibuKey Network server management. By default, a server is running in Windows system as a service and listens on port 22347. A specially crafted TCP packet sent to this port can be used to exploit this vulnerability.

For additional information, see the full advisory here.

WIBU-SYSTEMS WibuKey.sys privilege escalation vulnerability (TALOS-2018-0658/CVE-2018-3990)


The WIBU-SYSTEMS WibeKey application partially runs in kernel space. The loaded kernel driver is named "WibuKey.sys." The communication between userland et kernel space is possible thanks to the IOCTL handler. The vulnerability is located in the 0x8200E804 IOCTL. A specially crafted IRP request can cause a buffer overflow, resulting in kernel memory corruption. That vulnerability leads to pool corruption and can be turned on by the attacker into arbitrary code execution and privilege escalation.

For additional information, see the full advisory here.

WIBU-SYSTEMS WibuKey.sys kernel memory information disclosure (TALOS-2018-0657/CVE-2018-3989)


The vector of this vulnerability is similar to TALOS-2018-0658. It's located in a different function, but is accessible via the same IOCTL. This vulnerability can allow an attacker to read kernel memory information from the userland.

For additional information, see the full advisory here.

Version Tested


Talos tested and confirmed WIBU-SYSTEMS WibuKey.sys Version 6.40 (Build 2400) - Windows 7 x86 is affected by this vulnerability.

Conclusion


One of the vulnerabilities can be exploited remotely. Due to this vulnerability, an attacker could execute code as administrator on the vulnerable system. The attacker could combine this remote code execution with an additional vulnerability on the same product to execute arbitrary code in kernel space.





Coverage

The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules: 47750, 47751

Comments