CVE-2023-31096

An issue was discovered in Broadcom) LSI PCI-SV92EX Soft Modem Kernel Driver through 2.2.100.1 (aka AGRSM64.sys). There is Local Privilege Escalation to SYSTEM via a Stack Overflow in RTLCopyMemory (IOCTL 0x1b2150). An attacker can exploit this to elevate privileges from a medium-integrity process to SYSTEM. This can also be used to bypass kernel-level protections such as AV or PPL, because exploit code runs with high-integrity privileges and can be used in coordinated BYOVD (bring your own vulnerable driver) ransomware campaigns.

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://cschwarz1.github.io/posts/0x04/	Exploit Third Party Advisory
https://www.broadcom.com	Not Applicable

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:broadcom:lsi_pci-sv92ex_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:broadcom:lsi_pci-sv92ex:-:*:*:*:*:*:*:*

History

18 Oct 2023, 20:27

Type	Values Removed	Values Added
CPE		cpe:2.3:o:broadcom:lsi_pci-sv92ex_firmware:::::::: cpe:2.3:h:broadcom:lsi_pci-sv92ex:-:::::::*
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.8
CWE		CWE-787
First Time		Broadcom Broadcom lsi Pci-sv92ex Broadcom lsi Pci-sv92ex Firmware
References	~~(MISC) https://www.broadcom.com -~~	(MISC) https://www.broadcom.com - Not Applicable
References	~~(MISC) https://cschwarz1.github.io/posts/0x04/ -~~	(MISC) https://cschwarz1.github.io/posts/0x04/ - Exploit, Third Party Advisory

10 Oct 2023, 19:37

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-10-10 19:15

Updated : 2023-12-10 15:14

NVD link : CVE-2023-31096

Mitre link : CVE-2023-31096

CVE.ORG link : CVE-2023-31096

JSON object : View

Products Affected

broadcom

lsi_pci-sv92ex
lsi_pci-sv92ex_firmware

CWE

CWE-787

Out-of-bounds Write

{"id": "CVE-2023-31096", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2023-10-10T19:15:09.530", "references": [{"url": "https://cschwarz1.github.io/posts/0x04/", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.broadcom.com", "tags": ["Not Applicable"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-787"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Broadcom) LSI PCI-SV92EX Soft Modem Kernel Driver through 2.2.100.1 (aka AGRSM64.sys). There is Local Privilege Escalation to SYSTEM via a Stack Overflow in RTLCopyMemory (IOCTL 0x1b2150). An attacker can exploit this to elevate privileges from a medium-integrity process to SYSTEM. This can also be used to bypass kernel-level protections such as AV or PPL, because exploit code runs with high-integrity privileges and can be used in coordinated BYOVD (bring your own vulnerable driver) ransomware campaigns."}, {"lang": "es", "value": "Se descubri\u00f3 un problema en Broadcom) LSI PCI-SV92EX Soft Modem Kernel Driver hasta 2.2.100.1 (tambi\u00e9n conocido como AGRSM64.sys). Hay una escalada de privilegios local al SYSTEM a trav\u00e9s de un desbordamiento de pila en RTLCopyMemory (IOCTL 0x1b2150). Un atacante puede aprovechar esto para elevar los privilegios de un proceso de integridad media al SYSTEM. Esto tambi\u00e9n se puede utilizar para omitir protecciones a nivel de kernel como AV o PPL, porque el c\u00f3digo de explotaci\u00f3n se ejecuta con privilegios de alta integridad y se puede utilizar en campa\u00f1as coordinadas de ransomware BYOVD (traiga su propio controlador vulnerable)."}], "lastModified": "2023-10-18T20:27:16.947", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:broadcom:lsi_pci-sv92ex_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B800F3FF-2B88-4135-9E76-CDA5B582F00D", "versionEndIncluding": "2.2.100.1"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:broadcom:lsi_pci-sv92ex:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "9EE609F6-C73C-4152-B748-4860C45D8BB7"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cve@mitre.org"}