About CVE-2022-43590: Understandable Views (28th Nov 2022)

Preface:For over two decades, developers at some of the world’s most prominent Fortune 500 and Global 2000 companies have trusted Callback Technologies’ components and system drivers to build secure file storage solutions and virtual filesystems. Some of our clients include Amazon, Microsoft, Adobe, Intel, LG, etc.

Background: CBFS Filter allows you to intercept and react to filesystem, registry, and process manager operations as they occur.

ABout CBFS Filter design structure: IOCTL also divides the Buffer into two parts, Input and Output. A single command operation can complete the reading and writing action. The properties of the Buffer also need to be set before it can be used. There are three setting methods: Buffered, Direct and Neither.

If it is for data transmission, it is recommended to use IRP_MJ_READ and IRQP_MJ_WRITE, and for control application, it is recommended to use IRP_MJ_DEVICE_CONTROL.

Ref: Any intermediate driver layered between a file system driver and a removable-media device driver must set up the next-lower-level driver’s I/O stack location in IRPs. From incoming IRP_MJ_READ, IRP_MJ_WRITE, and IRP_MJ_DEVICE_CONTROL requests, the intermediate driver must copy its own I/O stack location Flags into the next-lower-level driver’s I/O stack location when it sets up the I/O stack location for the lower driver, Microsoft said.

Vulnerability details: Cisco Talos found the following. A null pointer dereference vulnerability exists in the handle_ioctl_0x830a0_systembuffer functionality of Callback technologies CBFS Filter 20.0.8317. A specially-crafted I/O request packet (IRP) can lead to denial of service. An attacker can issue an ioctl to trigger this vulnerability.

Official announcement: Please refer to the link for details – https://talosintelligence.com/vulnerability_reports/TALOS-2022-1649

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.