Exposed IOCTL with Insufficient Access Control

CVE-2021-21785

Medium

5.5/10

Summary

An information disclosure vulnerability exists in the IOCTL 0x9c40a148 handling of IOBit Advanced SystemCare Ultimate 14.2.0.220. A specially crafted I/O request packet (IRP) can lead to a disclosure of sensitive information. An attacker can send a malicious IRP to trigger this vulnerability.

Attack Complexity: LOW
Attack Vector: LOCAL
Integrity Impact: NONE
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: LOW
Confidentiality Impact: HIGH
Availability Impact: NONE

CWE-782 - Exposed IOCTL with Insufficient Access Control

The software implements an IOCTL with functionality that should be restricted, but it does not properly enforce access control for the IOCTL.

References

Advisory Timeline

Published Aug 05, 2021

Exposed IOCTL with Insufficient Access Control

CVE-2021-21785

Summary

CWE-782 - Exposed IOCTL with Insufficient Access Control

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS