Level 36
Cisco Talos is disclosing two vulnerabilities in Sophos HitmanPro.Alert, a malware detection and protection tool. Both vulnerabilities lie in the input/output control (IOCTL) message handler. One could allow an attacker to read kernel memory contents, while the other allows code execution and privilege escalation.

Vulnerability Details

TALOS-2018-0635 (CVE-2018-3970) - HitmanPro.Alert hmpalert Kernel Memory Disclosure Vulnerability.

An exploitable memory disclosure vulnerability exists in the IOCTL-handler function of Sophos HitmanPro.Alert, version A specially crafted IOCTL request sent by any user on the system to the hmpalert device results in the contents from the privileged kernel memory returning to the user. You can read the full details of the vulnerability here.

Source: Talos Blog || Cisco Talos Intelligence Group - Comprehensive Threat Intelligence: Vulnerability Spotlight: TALOS-2018-0635/0636 - Sophos HitmanPro.Alert memory disclosure and code execution vulnerabilities
Last edited by a moderator:

Eddie Morra

Hope they resolve soon.
They have already resolved it. It took them roughly 2 months to patch.

2018-07-23 - Vendor Disclosure
2018-09-17 - Vendor Patched
2018-10-25 - Public Release

For starters, patching it could have been started by slapping on some security for the device object and only using it from privileged user-mode process(es). That would be an ideal starting place.

Applying Security Descriptors on the Device Object - Windows drivers

I'm speechless.