CVE-2020-8508
📋 TL;DR
CVE-2020-8508 is a critical kernel driver vulnerability in Norman Malware Cleaner that allows attackers to execute arbitrary kernel functions from user mode. This enables complete system compromise including privilege escalation, code execution, and kernel manipulation. All users of Norman Malware Cleaner 2.08.08 on Windows systems are affected.
💻 Affected Systems
- Norman Malware Cleaner
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system takeover with kernel-level persistence, ability to disable security software, install rootkits, and maintain undetectable access to the entire system.
Likely Case
Local privilege escalation to SYSTEM/administrator privileges, installation of malware, credential theft, and lateral movement within the network.
If Mitigated
Limited impact if proper endpoint protection, application whitelisting, and least privilege principles are enforced, though kernel-level access remains dangerous.
🎯 Exploit Status
Exploitation requires local access but is straightforward once access is obtained. Public proof-of-concept code exists demonstrating the vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Update to latest version (beyond 2.08.08)
Vendor Advisory: https://www.norman.com/security
Restart Required: Yes
Instructions:
1. Uninstall Norman Malware Cleaner 2.08.08. 2. Download and install the latest version from Norman's official website. 3. Reboot the system to ensure the vulnerable driver is unloaded.
🔧 Temporary Workarounds
Driver Blocking via Group Policy
windowsBlock loading of the vulnerable nsak64.sys driver using Windows Group Policy
Computer Configuration > Windows Settings > Security Settings > Software Restriction Policies > Additional Rules > New Hash Rule
Driver Removal
windowsManually remove or rename the vulnerable driver file
del C:\Windows\System32\drivers\nsak64.sys
ren C:\Windows\System32\drivers\nsak64.sys nsak64.sys.bak
🧯 If You Can't Patch
- Uninstall Norman Malware Cleaner 2.08.08 completely from all systems
- Implement application whitelisting to prevent execution of vulnerable software and block driver loading
🔍 How to Verify
Check if Vulnerable:
Check if nsak64.sys version 2.08.08 exists in C:\Windows\System32\drivers\ and verify Norman Malware Cleaner version in Programs and FeaturesCheck Version:
wmic product where name="Norman Malware Cleaner" get versionVerify Fix Applied:
Confirm nsak64.sys is removed or updated to a newer version, and verify Norman Malware Cleaner is uninstalled or updated beyond 2.08.08📡 Detection & Monitoring
Log Indicators:
- Driver load events for nsak64.sys in Windows Event Logs (System log)
- Process creation events related to Norman Malware Cleaner
- Unusual kernel-mode activity or driver loads
Network Indicators:
- No specific network indicators as this is a local privilege escalation vulnerability
SIEM Query:
EventID=6 OR EventID=7 AND DriverName="nsak64.sys" OR ProcessName="*norman*" OR CommandLine="*nsak64*"