Filtered by vendor Sophos
Subscriptions
Total
160 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2018-16118 | 1 Sophos | 2 Sfos, Xg Firewall | 2024-08-05 | N/A |
| A shell escape vulnerability in /webconsole/APIController in the API Configuration component of Sophos XG firewall 17.0.8 MR-8 allows remote attackers to execute arbitrary OS commands via shell metachracters in the "X-Forwarded-for" HTTP header. | ||||
| CVE-2018-16116 | 1 Sophos | 2 Sfos, Xg Firewall | 2024-08-05 | N/A |
| SQL injection vulnerability in AccountStatus.jsp in Admin Portal of Sophos XG firewall 17.0.8 MR-8 allow remote authenticated attackers to execute arbitrary SQL commands via the "username" GET parameter. | ||||
| CVE-2018-16117 | 1 Sophos | 2 Sfos, Xg Firewall | 2024-08-05 | 8.8 High |
| A shell escape vulnerability in /webconsole/Controller in Admin Portal of Sophos XG firewall 17.0.8 MR-8 allow remote authenticated attackers to execute arbitrary OS commands via shell metacharacters in the "dbName" POST parameter. | ||||
| CVE-2018-9233 | 1 Sophos | 1 Endpoint Protection | 2024-08-05 | N/A |
| Sophos Endpoint Protection 10.7 uses an unsalted SHA-1 hash for password storage in %PROGRAMDATA%\Sophos\Sophos Anti-Virus\Config\machine.xml, which makes it easier for attackers to determine a cleartext password, and subsequently choose unsafe malware settings, via rainbow tables or other approaches. | ||||
| CVE-2018-6857 | 1 Sophos | 3 Safeguard Easy Device Encryption Client, Safeguard Enterprise Client, Safeguard Lan Crypt Client | 2024-08-05 | N/A |
| Sophos SafeGuard Enterprise before 8.00.5, SafeGuard Easy before 7.00.3, and SafeGuard LAN Crypt before 3.95.2 are vulnerable to Local Privilege Escalation via IOCTL 0x802022E0. By crafting an input buffer we can control the execution path to the point where the constant 0x12 will be written to a user-controlled address. We can take advantage of this condition to modify the SEP_TOKEN_PRIVILEGES structure of the Token object belonging to the exploit process and grant SE_DEBUG_NAME privilege. This allows the exploit process to interact with higher privileged processes running as SYSTEM and execute code in their security context. | ||||
| CVE-2018-6856 | 1 Sophos | 3 Safeguard Easy Device Encryption Client, Safeguard Enterprise Client, Safeguard Lan Crypt Client | 2024-08-05 | N/A |
| Sophos SafeGuard Enterprise before 8.00.5, SafeGuard Easy before 7.00.3, and SafeGuard LAN Crypt before 3.95.2 are vulnerable to Local Privilege Escalation via IOCTL 0x8020601C. By crafting an input buffer we can control the execution path to the point where a global variable will be written to a user controlled address. We can take advantage of this condition to zero-out the pointer to the security descriptor in the object header of a privileged process or modify the security descriptor itself and run code in the context of a process running as SYSTEM. | ||||
| CVE-2018-6853 | 1 Sophos | 3 Safeguard Easy Device Encryption Client, Safeguard Enterprise Client, Safeguard Lan Crypt Client | 2024-08-05 | N/A |
| Sophos SafeGuard Enterprise before 8.00.5, SafeGuard Easy before 7.00.3, and SafeGuard LAN Crypt before 3.95.2 are vulnerable to Local Privilege Escalation via IOCTL 0x80206024. By crafting an input buffer we can control the execution path to the point where a global variable will be written to a user controlled address. We can take advantage of this condition to zero-out the pointer to the security descriptor in the object header of a privileged process or modify the security descriptor itself and run code in the context of a process running as SYSTEM. | ||||
| CVE-2018-6852 | 1 Sophos | 3 Safeguard Easy Device Encryption Client, Safeguard Enterprise Client, Safeguard Lan Crypt Client | 2024-08-05 | N/A |
| Sophos SafeGuard Enterprise before 8.00.5, SafeGuard Easy before 7.00.3, and SafeGuard LAN Crypt before 3.95.2 are vulnerable to Local Privilege Escalation via IOCTL 0x80202298. By crafting an input buffer we can control the execution path to the point where the nt!memset function is called to zero out contents of a user-controlled address. We can take advantage of this condition to zero-out the pointer to the security descriptor in the object header of a privileged process or modify the security descriptor itself and run code in the context of a process running as SYSTEM. | ||||
| CVE-2018-6855 | 1 Sophos | 3 Safeguard Easy Device Encryption Client, Safeguard Enterprise Client, Safeguard Lan Crypt Client | 2024-08-05 | N/A |
| Sophos SafeGuard Enterprise before 8.00.5, SafeGuard Easy before 7.00.3, and SafeGuard LAN Crypt before 3.95.2 are vulnerable to Local Privilege Escalation via IOCTL 0x80202014. By crafting an input buffer we can control the execution path to the point where the constant 0xFFFFFFF will be written to a user-controlled address. We can take advantage of this condition to modify the SEP_TOKEN_PRIVILEGES structure of the Token object belonging to the exploit process and grant SE_DEBUG_NAME privilege. This allows the exploit process to interact with higher privileged processes running as SYSTEM and execute code in their security context. | ||||
| CVE-2018-6854 | 1 Sophos | 3 Safeguard Easy Device Encryption Client, Safeguard Enterprise Client, Safeguard Lan Crypt Client | 2024-08-05 | N/A |
| Sophos SafeGuard Enterprise before 8.00.5, SafeGuard Easy before 7.00.3, and SafeGuard LAN Crypt before 3.95.2 are vulnerable to Local Privilege Escalation via multiple IOCTLs, e.g., 0x8810200B, 0x8810200F, 0x8810201B, 0x8810201F, 0x8810202B, 0x8810202F, 0x8810203F, 0x8810204B, 0x88102003, 0x88102007, 0x88102013, 0x88102017, 0x88102027, 0x88102033, 0x88102037, 0x88102043, and 0x88102047. When some conditions in the user-controlled input buffer are not met, the driver writes an error code (0x2000001A) to a user-controlled address. Also, note that all the aforementioned IOCTLs use transfer type METHOD_NEITHER, which means that the I/O manager does not validate any of the supplied pointers and buffer sizes. So, even though the driver checks for input/output buffer sizes, it doesn't validate if the pointers to those buffers are actually valid. So, we can supply a pointer for the output buffer to a kernel address space address, and the error code will be written there. We can take advantage of this condition to modify the SEP_TOKEN_PRIVILEGES structure of the Token object belonging to the exploit process and grant SE_DEBUG_NAME privilege. This allows the exploit process to interact with higher privileged processes running as SYSTEM and execute code in their security context. | ||||
| CVE-2018-6851 | 1 Sophos | 3 Safeguard Easy Device Encryption Client, Safeguard Enterprise Client, Safeguard Lan Crypt Client | 2024-08-05 | N/A |
| Sophos SafeGuard Enterprise before 8.00.5, SafeGuard Easy before 7.00.3, and SafeGuard LAN Crypt before 3.95.2 are vulnerable to Local Privilege Escalation via IOCTL 0x80206040. By crafting an input buffer we can control the execution path to the point where the constant DWORD 0 will be written to a user-controlled address. We can take advantage of this condition to zero-out the pointer to the security descriptor in the object header of a privileged process or modify the security descriptor itself and run code in the context of a process running as SYSTEM. | ||||
| CVE-2018-6318 | 1 Sophos | 1 Sophos Tester | 2024-08-05 | N/A |
| In Sophos Tester Tool 3.2.0.7 Beta, the driver loads (in the context of the application used to test an exploit or ransomware) the DLL using a payload that runs from NTDLL.DLL (so, it's run in userland), but the driver doesn't perform any validation of this DLL (not its signature, not its hash, etc.). A person can change this DLL in a local way, or with a remote connection, to a malicious DLL with the same name -- and when the product is used, this malicious DLL will be loaded, aka a DLL Hijacking attack. | ||||
| CVE-2018-6319 | 1 Sophos | 1 Sophos Tester | 2024-08-05 | N/A |
| In Sophos Tester Tool 3.2.0.7 Beta, the driver accepts a special DeviceIoControl code that doesn't check its argument. This argument is a memory address: if a caller passes a NULL pointer or a random invalid address, the driver will cause a Blue Screen of Death. If a program or malware does this at boot time, it can cause a persistent denial of service on the machine. | ||||
| CVE-2018-4863 | 1 Sophos | 1 Endpoint Protection | 2024-08-05 | N/A |
| Sophos Endpoint Protection 10.7 allows local users to bypass an intended tamper protection mechanism by deleting the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Sophos Endpoint Defense\ registry key. | ||||
| CVE-2019-17059 | 1 Sophos | 2 Cyberoam, Cyberoamos | 2024-08-05 | 9.8 Critical |
| A shell injection vulnerability on the Sophos Cyberoam firewall appliance with CyberoamOS before 10.6.6 MR-6 allows remote attackers to execute arbitrary commands via the Web Admin and SSL VPN consoles. | ||||
| CVE-2020-36692 | 1 Sophos | 1 Web Appliance | 2024-08-04 | 6.5 Medium |
| A reflected XSS via POST vulnerability in report scheduler of Sophos Web Appliance versions older than 4.3.10.4 allows execution of JavaScript code in the victim browser via a malicious form that must be manually submitted by the victim while logged in to SWA. | ||||
| CVE-2020-29574 | 1 Sophos | 1 Cyberoamos | 2024-08-04 | 9.8 Critical |
| An SQL injection vulnerability in the WebAdmin of Cyberoam OS through 2020-12-04 allows unauthenticated attackers to execute arbitrary SQL statements remotely. | ||||
| CVE-2020-25223 | 1 Sophos | 1 Unified Threat Management | 2024-08-04 | 9.8 Critical |
| A remote code execution vulnerability exists in the WebAdmin of Sophos SG UTM before v9.705 MR5, v9.607 MR7, and v9.511 MR11 | ||||
| CVE-2020-17352 | 1 Sophos | 1 Xg Firewall Firmware | 2024-08-04 | 8.8 High |
| Two OS command injection vulnerabilities in the User Portal of Sophos XG Firewall through 2020-08-05 potentially allow an authenticated attacker to remotely execute arbitrary code. | ||||
| CVE-2020-15504 | 1 Sophos | 1 Xg Firewall Firmware | 2024-08-04 | 9.8 Critical |
| A SQL injection vulnerability in the user and admin web interfaces of Sophos XG Firewall v18.0 MR1 and older potentially allows an attacker to run arbitrary code remotely. The fix is built into the re-release of XG Firewall v18 MR-1 (named MR-1-Build396) and the v17.5 MR13 release. All other versions >= 17.0 have received a hotfix. | ||||