CVE-2023-52271

Vulnerability

The wsftprm.sys kernel driver version 2.0.0.0 in Topaz Antifraud exposes a driver device accessible by any user on the system. The device supports an IOCTL handler that allows arbitrary calls to kernel functions, enabling any user to terminate processes on the target system. This affects at least Topaz Antifraud wsftprm.sys 2.0.0.0 and likely lower versions [1].

Exploitation

An attacker with low privileges (e.g., a standard user on the system) can send a crafted IOCTL to the driver device. Because the device is accessible without authentication, no special permissions are required beyond local access. The attacker can then invoke kernel functions that terminate targeted processes, including Protected Process Light (PPL) processes such as Microsoft Defender [1].

Impact

Successful exploitation allows the attacker to kill any PPL process on the system, effectively disabling anti-malware and other protected security software. This compromises the availability of the targeted processes and undermines system defenses, potentially enabling further malicious activity [1].

Mitigation

Topaz released a patch for the vulnerability on 10 October 2023 [1]. Users should update to the latest version of wsftprm.sys provided by Topaz Antifraud. Until patched, no workaround is mentioned in the available references [1].