CVE-2017-16557

Vulnerability

CVE-2017-16557 is a local privilege escalation vulnerability in K7 Antivirus Premium versions before 15.1.0.53 (also affecting other K7 Security Products [1]). The bug resides in the kernel-mode driver component, where a user-mode process can send a specific IOCTL after manipulating memory in a particular way [1]. The vulnerable versions include K7 Anti-Virus Plus (before 15.1.0308), K7 Anti-Virus Premium (before 15.1.0314), K7 Internet Security (before 15.1.0297), K7 Ultimate Security (before 15.1.0324), K7 Total Security (before 15.1.0324), K7 Total Security Plus (before 16.0.0131), and K7 Endpoint (before 14.2.0137) [1].

Exploitation

Exploitation requires local access to the affected system. The attacker must first set the memory in a particular way, then send a specific IOCTL to the vulnerable driver [1]. No additional authentication beyond the ability to run a program is mentioned in the available references; the attack is performed entirely from user mode without any user interaction beyond executing the exploit code.

Impact

A successful attack allows a local user to gain elevated privileges, potentially leading to full system compromise [1]. The attacker can achieve arbitrary code execution with kernel-level privileges, bypassing user-mode security restrictions.

Mitigation

K7 Computing released fixed versions for all affected products as of November 2017 [1]. Users should upgrade to the following versions or later: K7 Anti-Virus Plus 15.1.0308, K7 Anti-Virus Premium 15.1.0314, K7 Internet Security 15.1.0297, K7 Ultimate Security 15.1.0324, K7 Total Security 15.1.0324, K7 Total Security Plus 16.0.0131, K7 Endpoint 14.2.0137 [1]. No workarounds are disclosed. This CVE is not listed in CISA's Known Exploited Vulnerabilities catalog.