CVE-2018-6775 in Jiangmin
Summary
by MITRE
In Jiangmin Antivirus 16.0.0.100, the driver file (KrnlCall.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x990081C8.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 01/02/2020
The vulnerability identified as CVE-2018-6775 resides within the Jiangmin Antivirus 16.0.0.100 software suite, specifically within its kernel-mode driver component known as KrnlCall.sys. This driver operates at the highest privilege level within the operating system, making it a critical component that requires robust input validation mechanisms. The flaw manifests through improper handling of input values received via IOCTL (Input/Output Control) command 0x990081C8, which represents a direct interface between user-mode applications and kernel-mode drivers in windows operating systems. The absence of proper input validation creates a pathway for malicious or unintended operations that can compromise system stability and security.
The technical nature of this vulnerability aligns with CWE-129, which describes improper validation of input, and specifically relates to issues in kernel-mode drivers where user-supplied data can directly influence system behavior. When a local user submits crafted input through the designated IOCTL interface, the driver fails to validate the parameters before processing them, leading to potential buffer overflows, memory corruption, or other exploitable conditions. This lack of validation creates multiple attack vectors that can result in system instability, as demonstrated by the reported blue screen of death (BSOD) conditions that occur during normal operation. The vulnerability's classification as a local privilege escalation risk stems from the fact that any user with access to the system can potentially trigger the malformed input conditions, bypassing normal security boundaries that typically separate user and kernel modes.
The operational impact of this vulnerability extends beyond simple denial of service scenarios, as it represents a fundamental breakdown in the security model of the antivirus software itself. A local attacker can leverage this flaw to either crash the system entirely through BSOD conditions or potentially achieve more severe consequences including privilege escalation or arbitrary code execution within kernel space. The implications are particularly concerning given that antivirus software typically operates with elevated privileges and has direct access to system memory and hardware components. This vulnerability creates a situation where the security tool becomes a potential attack vector rather than a protective barrier, undermining the core premise of endpoint protection software. The issue affects systems running vulnerable versions of Jiangmin Antivirus where the driver remains active and accessible to local users.
Mitigation strategies for CVE-2018-6775 should focus on immediate patching of the affected Jiangmin Antivirus software to version 16.0.0.101 or later, which contains the necessary input validation fixes. System administrators should also implement additional monitoring for suspicious IOCTL activity and consider restricting local user access to potentially vulnerable system interfaces. The vulnerability demonstrates the critical importance of proper input validation in kernel-mode components and aligns with ATT&CK technique T1068 which covers local privilege escalation through kernel exploits. Organizations should conduct thorough vulnerability assessments of their endpoint protection software to identify similar issues in other security tools and ensure that all kernel-mode drivers implement comprehensive input validation and bounds checking mechanisms. Additionally, implementing application whitelisting and restricting driver loading capabilities can provide additional layers of defense against similar vulnerabilities in the future.