CVE-2018-5701 – This vulnerability in Iolo System Shield AntiVi... (How to Fix)

Q: What is the severity of CVE-2018-5701?

CVE-2018-5701 has a CVSS score of 9.8 (CRITICAL). This vulnerability in Iolo System Shield AntiVirus and AntiSpyware allows local attackers to write arbitrary data to kernel memory through a driver IOCTL interface. It enables privilege escalation from a standard user account to SYSTEM level access. Only users of the specific affected antivirus software are impacted.

📋 TL;DR

This vulnerability in Iolo System Shield AntiVirus and AntiSpyware allows local attackers to write arbitrary data to kernel memory through a driver IOCTL interface. It enables privilege escalation from a standard user account to SYSTEM level access. Only users of the specific affected antivirus software are impacted.

💻 Affected Systems

Products:

Iolo System Shield AntiVirus and AntiSpyware

Versions: 5.0.0.136

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the amp.sys driver file and is present in default installations.

📦 What is this software?

System Shield by Iolo

View all CVEs affecting System Shield →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with SYSTEM privileges, allowing installation of persistent malware, credential theft, and disabling of security controls.

🟠

Likely Case

Local privilege escalation enabling attackers to bypass security restrictions, install additional malware, or access protected system resources.

🟢

If Mitigated

Limited impact if antivirus software is removed or patched, though initial compromise could still occur through other vectors.

🌐 Internet-Facing: LOW - This is a local privilege escalation vulnerability requiring local access to exploit.

🏢 Internal Only: HIGH - Malicious insiders or attackers who gain initial access through other means can use this to escalate privileges and move laterally.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ✅ No

Complexity: LOW

Public exploit code is available and has been weaponized for privilege escalation attacks. Requires local user access to execute.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Later versions after 5.0.0.136

Vendor Advisory: Not publicly documented by vendor

Restart Required: Yes

Instructions:

1. Update Iolo System Shield to the latest version. 2. Uninstall version 5.0.0.136 completely. 3. Consider replacing with alternative antivirus software if updates are unavailable.

🔧 Temporary Workarounds

Disable or remove vulnerable driver

windows

Remove or disable the amp.sys driver to prevent exploitation

sc stop amp
sc delete amp
Remove amp.sys from system32\drivers

Restrict driver loading

windows

Configure driver signature enforcement to prevent unsigned driver loading

bcdedit /set nointegritychecks off
bcdedit /set testsigning off

🧯 If You Can't Patch

Uninstall Iolo System Shield 5.0.0.136 completely and use alternative antivirus software
Implement strict access controls and monitoring for systems running the vulnerable software

🔍 How to Verify

Check if Vulnerable:

Check if amp.sys driver version 5.0.0.136 exists in system32\drivers directory and verify Iolo System Shield version

Check Version:

wmic product where "name like '%Iolo%System%Shield%'" get version

Verify Fix Applied:

Confirm amp.sys driver is removed or updated to a newer version, and Iolo System Shield is updated beyond 5.0.0.136

📡 Detection & Monitoring

Log Indicators:

Driver load events for amp.sys
Process creation with SYSTEM privileges from non-admin users
IOCTL calls to vulnerable driver

Network Indicators:

Not applicable - local vulnerability

SIEM Query:

EventID=7045 AND ServiceName="amp" OR ProcessName="exploit.exe" AND ParentProcess="user-level-process.exe"

📊 Metadata

CVE ID: CVE-2018-5701

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-119

Published: January 31, 2018

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/146165/System-Shield-5.0.0.136-Privilege-Escalation.html Third Party Advisory,VDB Entry
https://www.exploit-db.com/exploits/43929/ Third Party Advisory,VDB Entry
https://www.greyhathacker.net/?p=1006 Exploit,Third Party Advisory
http://packetstormsecurity.com/files/146165/System-Shield-5.0.0.136-Privilege-Escalation.html Third Party Advisory,VDB Entry
https://www.exploit-db.com/exploits/43929/ Third Party Advisory,VDB Entry
https://www.greyhathacker.net/?p=1006 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-5701, you might also want to check these: