An Access Control List (ACL) bypass in the F-Secure Gatekeeper driver allows local privilege escalation through kernel memory corruption.
Component:
Corporate products:
Consumer Products:
It was discovered that it is possible to bypass the Access Control List (ACL) for the F-Secure Gatekeeper device driver, even when access rights is given only to an Administrator or SYSTEM account. This is caused by the missing flag of FILE_DEVICE_SECURE_OPEN when creating an object. A successful bypass of the ACL will allow an attacker to manipulate the kernel buffer allocation, resulting in a memory corruption. Successful exploitation will result in a local privilege escalation of a normal user account to an administrator or system account.
Component | Version | Remark |
---|---|---|
fsgk.sys | 10.80.110.65 | Fix is available in the automatic update channel for all affected products. No user action is needed if automatic updates is enabled. |
F-Secure Corporation would like to thank Ilja van Sprundel from IOActive and Thierry Decroix for bringing this issue to our attention.
Date Issued: 2015-09-01