CVE-2010-1592
published 2010-04-28CVE-2010-1592: sandra.sys 15.18.1.1 and earlier in the Sandra Device Driver in SiSoftware Sandra 16.10.2010.1 and earlier allows local users to gain privileges or cause a…
PriorityP181medium6.9CVSS 2.0
AVLACMAuNCCICAC
ITWVulnCheck KEVRansomware
Exploited in the wild
EPSS
0.43%
34.5th percentile
sandra.sys 15.18.1.1 and earlier in the Sandra Device Driver in SiSoftware Sandra 16.10.2010.1 and earlier allows local users to gain privileges or cause a denial of service (system crash) via unspecified vectors involving "Model-Specific Registers."
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sisoftware | sandra | <= 16.10.2010.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect Sandra.sys (MD5: 9a237fa07ce3ed06ea924a9bed4a6b99) loaded as a driver; its presence indicates exploitation of CVE-2010-1592 by the Slingshot APT rootkit to bypass x64 Driver Signing Protection. ↗
- →Use Tenable Plugin 108411 (Malicious Process Detection: Authenticode Microsoft Manufacturer) to identify unsigned or tampered Microsoft DLLs indicative of Slingshot infection. ↗
- →Monitor for ipv4.dll being downloaded from MikroTik routers via Winbox and loaded on endpoints, as this is the initial Slingshot dropper DLL. ↗
- ·CVE-2010-1592 affects sandra.sys version 15.18.1.1 and earlier, part of SiSoftware Sandra 16.10.2010.1 and earlier; exploitation is local (requires local access) and targets Model-Specific Registers. ↗
- ·The Slingshot APT exploited CVE-2010-1592 specifically to bypass x64 Driver Signing Protection as part of a multi-stage rootkit implantation chain; the driver was abused rather than being the primary payload. ↗
CVSS provenance
nvdv2.06.9MEDIUMAV:L/AC:M/Au:N/C:C/I:C/A:C
vulncheck6.9MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-jcjm-m33h-xcrm: sandra
ghsa_unreviewed·2022-05-17
CVE-2010-1592 [MEDIUM] CWE-20 GHSA-jcjm-m33h-xcrm: sandra
sandra.sys 15.18.1.1 and earlier in the Sandra Device Driver in SiSoftware Sandra 16.10.2010.1 and earlier allows local users to gain privileges or cause a denial of service (system crash) via unspecified vectors involving "Model-Specific Registers."
VulnCheck
sisoftware sandra Improper Input Validation
vulncheck·2010·CVSS 6.9
CVE-2010-1592 [MEDIUM] sisoftware sandra Improper Input Validation
sisoftware sandra Improper Input Validation
sandra.sys 15.18.1.1 and earlier in the Sandra Device Driver in SiSoftware Sandra 16.10.2010.1 and earlier allows local users to gain privileges or cause a denial of service (system crash) via unspecified vectors involving "Model-Specific Registers."
Affected: sisoftware sandra
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/09133534/The-Slingshot-APT_report_ENG_final.pdf; https://securelist.com/apt-slingshot/84312/; https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/; ht
No detection rules found.
No public exploits indexed.
Tenable
Slingshot Malware Uses IoT Device in Targeted Attacks
blogs_tenable·2018-03-19·CVSS 6.4
[MEDIUM] Slingshot Malware Uses IoT Device in Targeted Attacks
Blog / Cyber Exposure Alerts
Subscribe
# Slingshot Malware Uses IoT Device in Targeted Attacks
Tony Huffman
March 19, 2018
4 Min Read
A new APT malware attack has been discovered by Kaspersky Lab. The malware named Slingshot, due to a string in one of the hijacked system DLLs, is a sophisticated attack that leads to a nasty rootkit. The final rootkit named Cahnadr takes control of system processes, allowing for monitoring of keystrokes, clipboard, network traffic and more.
### Background
Kaspersky Lab recently analyzed a sophisticated malware they named Slingshot. The paper published by Kaspersky Lab outlines details on how Slingshot operates and suggests the malware has been active since 2012. What makes Slingshot especially interesting is it used a compromised IoT device to infect
Tenable
Slingshot Malware Uses IoT Device in Targeted Attacks
blogs_tenable·2018-03-19
Slingshot Malware Uses IoT Device in Targeted Attacks
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
http://osvdb.org/61947http://secunia.com/advisories/38212http://www.ntinternals.org/ntiadv0808/ntiadv0808.htmlhttp://www.vupen.com/english/advisories/2010/0223http://osvdb.org/61947http://secunia.com/advisories/38212http://www.ntinternals.org/ntiadv0808/ntiadv0808.htmlhttp://www.vupen.com/english/advisories/2010/0223
2010-04-28
Published
Exploited in the wild