CVE-2017-16555

Vulnerability

A local privilege escalation vulnerability exists in K7 Antivirus Premium and other K7 security products before version 15.1.0.53 [1]. The bug is triggered when a local user sends a specific IOCTL to the kernel driver after setting the memory in a particular way [1]. The driver incorrectly handles the IOCTL, allowing memory manipulation that leads to privilege escalation.

Exploitation

An attacker must have local access to the system and be able to send IOCTL requests to the K7 security driver [1]. The exploit requires the attacker to first set memory in a specific way (likely using VirtualAlloc or similar) and then send the crafted IOCTL. No user interaction beyond initial access is needed, and no authentication bypass is required for the local user.

Impact

Successful exploitation allows a local attacker to gain elevated privileges on the system [1]. This could result in full control of the affected device, including the ability to execute arbitrary code with kernel or SYSTEM-level privileges, disable security features, and install persistent malware.

Mitigation

K7 Computing released fixed versions in November 2017: K7 Anti-Virus Premium (15.1.0314) and other products as listed in the advisory [1]. All users should upgrade to the latest version provided by K7 Computing. No workaround is available. This CVE is part of a set of similar vulnerabilities (CVE-2017-16551, CVE-2017-16553, CVE-2017-16557) all fixed in the same update [1]. The vulnerability is not known to be in CISA KEV.