CVE-2018-16723 – This vulnerability in Jingyun Antivirus allows ... (How to Fix)

Q: What is the severity of CVE-2018-16723?

CVE-2018-16723 has a CVSS score of 7.8 (HIGH). This vulnerability in Jingyun Antivirus allows local users to trigger a denial of service (BSOD) or potentially execute arbitrary code by sending malformed input to a specific IOCTL in the driver. It affects users of Jingyun Antivirus version 2.4.2.39 on Windows systems.

📋 TL;DR

This vulnerability in Jingyun Antivirus allows local users to trigger a denial of service (BSOD) or potentially execute arbitrary code by sending malformed input to a specific IOCTL in the driver. It affects users of Jingyun Antivirus version 2.4.2.39 on Windows systems.

💻 Affected Systems

Products:

Jingyun Antivirus

Versions: v2.4.2.39

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems with Jingyun Antivirus installed. The vulnerable driver (ZySandbox.sys) is loaded by default.

📦 What is this software?

Jingyun Antivirus by V Secure

View all CVEs affecting Jingyun Antivirus →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local privilege escalation leading to full system compromise via arbitrary code execution in kernel mode.

🟠

Likely Case

Denial of service (system crash/BSOD) disrupting antivirus protection and system stability.

🟢

If Mitigated

Limited to denial of service if proper input validation is implemented.

🌐 Internet-Facing: LOW - Requires local access to exploit.

🏢 Internal Only: HIGH - Local users can exploit this vulnerability to crash systems or potentially gain elevated privileges.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires local user access. Public proof-of-concept demonstrates BSOD trigger via IOCTL 0x12364020.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available. Consider upgrading to a newer version if available or switching to alternative antivirus software.

🔧 Temporary Workarounds

Disable or Remove Vulnerable Driver

windows

Prevent loading of the vulnerable ZySandbox.sys driver

sc stop ZySandbox
sc delete ZySandbox
Remove or rename ZySandbox.sys from system directories

Restrict Driver Access

windows

Use application control policies to block execution of the vulnerable driver

Configure Windows Defender Application Control or AppLocker to block ZySandbox.sys

🧯 If You Can't Patch

Remove Jingyun Antivirus and replace with updated alternative antivirus solution
Implement strict access controls to limit local user privileges on affected systems

🔍 How to Verify

Check if Vulnerable:

Check if ZySandbox.sys driver is present and version 2.4.2.39 of Jingyun Antivirus is installed

Check Version:

Check antivirus software version in program settings or via 'wmic product get name,version'

Verify Fix Applied:

Verify ZySandbox.sys driver is not loaded or has been removed from system

📡 Detection & Monitoring

Log Indicators:

System crash/BSOD events in Windows Event Logs
Driver load failures for ZySandbox.sys

Network Indicators:

Local IOCTL calls to driver with code 0x12364020

SIEM Query:

EventID=41 OR (Source='System' AND EventID=7036 AND Message LIKE '%ZySandbox%')

📊 Metadata

CVE ID: CVE-2018-16723

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-20

Published: November 23, 2020

Last Updated: November 21, 2024

🔗 References

https://github.com/bsauce/poc/tree/master/jingyun_antivirus_12364020 Third Party Advisory
https://www.cnvd.org.cn/flaw/show/CNVD-2018-19264 Third Party Advisory
https://github.com/bsauce/poc/tree/master/jingyun_antivirus_12364020 Third Party Advisory
https://www.cnvd.org.cn/flaw/show/CNVD-2018-19264 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-16723, you might also want to check these: