Yuri Kramarz of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.
Cisco Talos researchers recently discovered that a specific driver in the SoftPerfect RAM disk could allow an adversary to delete files on an arbitrary basis. SoftPerfect RAM Disk is a high-performance RAM disk application that allows the user to store a disk from their computer on the device’s space. An attacker could exploit this vulnerability to point to a specific filepath and then delete that file.
In accordance with our coordinated disclosure policy, Cisco Talos worked with SoftPerfect to ensure that these issues are resolved and that an update is available for affected customers.
Vulnerability details
SoftPerfect RAM Disk spvve.sys 0x222004 arbitrary file deletion vulnerability (TALOS-2020-1121/CVE-2020-13522)
An exploitable arbitrary file delete vulnerability exists in SoftPerfect RAM Disk 4.1 spvve.sys driver. A specially crafted I/O request packet (IRP) can allow an unprivileged user to delete any file on the filesystem. An attacker can send a malicious IRP to trigger this vulnerability. Read the complete vulnerability advisory here for additional information.
Versions tested
Talos tested and confirmed that this vulnerability affects SoftPerfect RAM disk, version 4.1
Coverage
The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.
Snort Rules: 54581, 54582
Support the originator by clicking the read the rest link below.
