Vulnerability Notice - eScan Antivirus

See all Vulnerability notices

CVE NUMBER

CVE-2024-28519

CVSS SCORE

7.3 - CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

SUMMARY

Our reverse engineering team discovered a kernel handle leak vulnerability in the latest version of eScan Antivirus. The vulnerability can be ubused for, for example, privilege escalation on a local system. The vulnerability has been reported to Microworld Technologies (owner of eScan Antivirus) via our Coordinated Vulnerability Disclosure (CVD) program.

Impacted Versions

At least At least the following version is affected (and likely also lower versions).

• ProcObsrvesx.sys kernel driver version 4.0.0.49.

DETAILS

The vulnerable component is ProcObsrvesx.sys, a kernel driver that facilitates the antivirus solution in closing handles in processes. There is at least one kernel handle leak present in the driver, which can be triggered from a low-privileged user context. This is due to the driver device being accessible by everyone on the local system. The kernel handle leak can be abused to obtain privilege escalation by abusing existing handles any process running on the local system.

TIMELINE

• 21-02-2024 - Initial notice to and request for security contact.
• 21-02-2024 - First reply from Microworld Technologies requesting more information.
• 21-02-2024 - Sent full vulnerability details to the Microworld Technologies security team.
• 31-03-2024 - Microworld Technologies notified Northwave about the patch version.
• 21-05-2024 - Planned public release of our blog post.

REFERENCE

The eScan Antivirus software: https://www.escanav.com/en/index.asp

CREDIT

Discovered by Tijme Gommers, Jan-Jaap Korpershoek and Alex Oudenaarden of Northwave Cyber Security

Disclaimer