CVE-2018-6772 in Jiangmin
Summary
by MITRE
In Jiangmin Antivirus 16.0.0.100, the driver file (KrnlCall.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x99008208.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 02/02/2021
The vulnerability identified as CVE-2018-6772 affects Jiangmin Antivirus version 16.0.0.100 and represents a critical security flaw within the kernel-mode driver component known as KrnlCall.sys. This driver operates at the highest privilege level within the Windows operating system, making it a prime target for exploitation and a significant concern for system stability and security. The vulnerability manifests through improper input validation mechanisms within the driver's handling of IOCTL (Input/Output Control) requests, specifically for the control code 0x99008208. The lack of proper validation creates a pathway for malicious actors to craft specially crafted input parameters that can trigger unexpected behavior within the kernel space.
The technical flaw stems from the driver's failure to validate input parameters received through the specified IOCTL interface, creating a classic buffer overflow condition or more accurately an input validation vulnerability categorized under CWE-20. This weakness allows local users to manipulate the driver's behavior by sending malformed or unexpected data through the IOCTL call, bypassing normal security checks that should occur at the kernel level. When the driver processes these unvalidated inputs, it can lead to memory corruption, invalid memory access, or other kernel-level errors that ultimately result in system instability. The vulnerability specifically impacts the Windows kernel's ability to maintain consistent state and proper memory management, making it particularly dangerous for system integrity.
The operational impact of this vulnerability extends beyond simple denial of service conditions, potentially leading to system crashes and blue screen of death (BSOD) scenarios that can disrupt normal business operations. Local attackers with limited privileges can leverage this vulnerability to either crash the system completely or potentially escalate their privileges to kernel level, depending on the exact nature of the memory corruption. The unspecified other impacts mentioned in the CVE description suggest that beyond the immediate BSOD conditions, there may be additional security implications including potential privilege escalation or information disclosure that could be exploited by sophisticated attackers. This vulnerability directly violates the principle of least privilege and can undermine the security model of the entire operating system.
Mitigation strategies for CVE-2018-6772 should prioritize immediate patching of the affected Jiangmin Antivirus software to version 16.0.101 or later, which contains the necessary input validation fixes. System administrators should implement monitoring for unusual IOCTL activity patterns and consider temporarily disabling the vulnerable driver component if patching cannot be immediately deployed. The vulnerability aligns with ATT&CK technique T1068 which covers 'Exploitation for Privilege Escalation' and T1490 which addresses 'Inhibit System Recovery' through system crash conditions. Organizations should also conduct comprehensive security assessments of their endpoint protection solutions to identify similar validation flaws in other security software components. Network segmentation and privilege separation measures can help limit the potential impact of such vulnerabilities, while regular security updates and vulnerability assessments remain critical for maintaining a secure computing environment. The vulnerability demonstrates the importance of proper kernel-mode input validation and highlights the risks associated with insufficient security testing of driver components in security software.