CVE-2007-5633
published 2007-10-23CVE-2007-5633: Speedfan.sys in Alfredo Milani Comparetti SpeedFan 4.33, when used on Microsoft Windows Vista x64, allows local users to read or write arbitrary MSRs, and gain…
PriorityP274high7.2CVSS 2.0
AVLACLAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
0.94%
56.3th percentile
Speedfan.sys in Alfredo Milani Comparetti SpeedFan 4.33, when used on Microsoft Windows Vista x64, allows local users to read or write arbitrary MSRs, and gain privileges and load unsigned drivers, via the (1) IOCTL_RDMSR 0x9C402438 and (2) IOCTL_WRMSR 0x9C40243C IOCTLs to \Device\speedfan, as demonstrated by an IOCTL_WRMSR action on MSR_LSTAR.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| almico | speedfan | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect IOCTL calls to \Device\speedfan with control codes 0x9C402438 (IOCTL_RDMSR) or 0x9C40243C (IOCTL_WRMSR), which indicate MSR read/write abuse via the vulnerable SpeedFan driver for privilege escalation. ↗
- →Flag presence of SpeedFan.sys with MD5 hash 5F9785E7535F8F602CB294A54962C9E7, as this specific version was used by the Slingshot APT rootkit to bypass x64 Driver Signing Protection. ↗
- →Detect the malicious ipv4.dll dropped on MikroTik routers and subsequently downloaded by Winbox clients as the initial infection vector leading to CVE-2007-5633 exploitation. ↗
- ·The vulnerability is specific to Microsoft Windows Vista x64; exploitation via the IOCTL_WRMSR code targets MSR_LSTAR to load unsigned drivers, so detection should be scoped to x64 Vista environments running SpeedFan 4.33. ↗
CVSS provenance
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-x4vw-hwxw-9rqp: Speedfan
ghsa_unreviewed·2022-05-01
CVE-2007-5633 [HIGH] GHSA-x4vw-hwxw-9rqp: Speedfan
Speedfan.sys in Alfredo Milani Comparetti SpeedFan 4.33, when used on Microsoft Windows Vista x64, allows local users to read or write arbitrary MSRs, and gain privileges and load unsigned drivers, via the (1) IOCTL_RDMSR 0x9C402438 and (2) IOCTL_WRMSR 0x9C40243C IOCTLs to \Device\speedfan, as demonstrated by an IOCTL_WRMSR action on MSR_LSTAR.
VulnCheck
Alfredo Milani Comparetti SpeedFan 4.33 Speedfan.sys Privilege Escalation
vulncheck·2007·CVSS 7.2
CVE-2007-5633 [HIGH] Alfredo Milani Comparetti SpeedFan 4.33 Speedfan.sys Privilege Escalation
Alfredo Milani Comparetti SpeedFan 4.33 Speedfan.sys Privilege Escalation
Speedfan.sys in Alfredo Milani Comparetti SpeedFan 4.33, when used on Microsoft Windows Vista x64, allows local users to read or write arbitrary MSRs, and gain privileges and load unsigned drivers, via the (1) IOCTL_RDMSR 0x9C402438 and (2) IOCTL_WRMSR 0x9C40243C IOCTLs to \Device\speedfan, as demonstrated by an IOCTL_WRMSR action on MSR_LSTAR.
Affected: Microsoft Windows
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/09133534/The-Slingshot-APT_report_ENG_final.pdf; https://securelist.com/apt-slingshot/84312/
No detection rules found.
Tenable
Slingshot Malware Uses IoT Device in Targeted Attacks
blogs_tenable·2018-03-19·CVSS 6.4
[MEDIUM] Slingshot Malware Uses IoT Device in Targeted Attacks
Blog / Cyber Exposure Alerts
Subscribe
# Slingshot Malware Uses IoT Device in Targeted Attacks
Tony Huffman
March 19, 2018
4 Min Read
A new APT malware attack has been discovered by Kaspersky Lab. The malware named Slingshot, due to a string in one of the hijacked system DLLs, is a sophisticated attack that leads to a nasty rootkit. The final rootkit named Cahnadr takes control of system processes, allowing for monitoring of keystrokes, clipboard, network traffic and more.
### Background
Kaspersky Lab recently analyzed a sophisticated malware they named Slingshot. The paper published by Kaspersky Lab outlines details on how Slingshot operates and suggests the malware has been active since 2012. What makes Slingshot especially interesting is it used a compromised IoT device to infect
Tenable
Slingshot Malware Uses IoT Device in Targeted Attacks
blogs_tenable·2018-03-19
Slingshot Malware Uses IoT Device in Targeted Attacks
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
http://osvdb.org/41842http://secunia.com/advisories/27312http://www.bugtrack.almico.com/view.php?id=987http://www.reversemode.com/index.php?option=com_content&task=view&id=42&Itemid=1http://www.securityfocus.com/bid/26123https://exchange.xforce.ibmcloud.com/vulnerabilities/37298http://osvdb.org/41842http://secunia.com/advisories/27312http://www.bugtrack.almico.com/view.php?id=987http://www.reversemode.com/index.php?option=com_content&task=view&id=42&Itemid=1http://www.securityfocus.com/bid/26123https://exchange.xforce.ibmcloud.com/vulnerabilities/37298
2007-10-23
Published
Exploited in the wild