CVE-2023-1628 – This vulnerability in Jianming Antivirus allows... (How to Fix)

📋 TL;DR

This vulnerability in Jianming Antivirus allows local attackers to trigger a null pointer dereference in the kvcore.sys driver's IoControlCode handler. This could potentially lead to denial of service or system instability. Only users of Jianming Antivirus version 16.2.2022.418 are affected.

💻 Affected Systems

Products:

Jianming Antivirus

Versions: 16.2.2022.418

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems with Jianming Antivirus installed. The vulnerable component is a kernel driver (kvcore.sys).

📦 What is this software?

Jiangmin Antivirus by Jiangmin

View all CVEs affecting Jiangmin Antivirus →

⚠️ Risk & Real-World Impact

🔴

Worst Case

System crash (BSOD) leading to denial of service, potentially allowing privilege escalation if combined with other vulnerabilities

🟠

Likely Case

Application crash or system instability requiring reboot

🟢

If Mitigated

Minimal impact with proper access controls limiting local user privileges

🌐 Internet-Facing: LOW - Requires local access to exploit

🏢 Internal Only: MEDIUM - Local attackers could disrupt antivirus protection or cause system instability

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit code is publicly available on GitHub. Requires local access and ability to execute code. The vulnerability is in a kernel driver, making exploitation more impactful.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: Yes

Instructions:

1. Check Jianming Antivirus vendor website for updates
2. If update available, download and install
3. Restart system to ensure kernel driver is reloaded

🔧 Temporary Workarounds

Restrict local user privileges

windows

Limit local user accounts to standard user privileges to reduce attack surface

Disable vulnerable driver

windows

Prevent kvcore.sys from loading by modifying system configuration

sc config jmavdrv start= disabled
sc stop jmavdrv

🧯 If You Can't Patch

Uninstall Jianming Antivirus and replace with alternative antivirus solution
Implement strict access controls to prevent unauthorized local code execution

🔍 How to Verify

Check if Vulnerable:

Check Jianming Antivirus version in program settings or via 'wmic product get name,version' for version 16.2.2022.418

Check Version:

wmic product where "name like '%Jianming%'" get name,version

Verify Fix Applied:

Verify antivirus version is updated beyond 16.2.2022.418 or that kvcore.sys driver is not present/disabled

📡 Detection & Monitoring

Log Indicators:

System crashes (Event ID 41)
Antivirus service failures
Driver load failures for kvcore.sys

Network Indicators:

None - local exploitation only

SIEM Query:

EventID=41 OR (Source="Application Error" AND Message LIKE "%kvcore.sys%")

📊 Metadata

CVE ID: CVE-2023-1628

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-476

Published: March 25, 2023

Last Updated: November 21, 2024

🔗 References

https://drive.google.com/file/d/1Div9mElTdsluLrU2etziLYqmXcqQFj1j/view Exploit,Third Party Advisory
https://github.com/zeze-zeze/WindowsKernelVuln/tree/master/unassigned30 Third Party Advisory
https://vuldb.com/?ctiid.224010 Permissions Required,Third Party Advisory
https://vuldb.com/?id.224010 Third Party Advisory
https://drive.google.com/file/d/1Div9mElTdsluLrU2etziLYqmXcqQFj1j/view Exploit,Third Party Advisory
https://github.com/zeze-zeze/WindowsKernelVuln/tree/master/unassigned30 Third Party Advisory
https://vuldb.com/?ctiid.224010 Permissions Required,Third Party Advisory
https://vuldb.com/?id.224010 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-1628, you might also want to check these: