cbcvebase.
CVE-2017-15302
published 2017-10-16

CVE-2017-15302: In CPUID CPU-Z through 1.81, there are improper access rights to a kernel-mode driver (e.g., cpuz143_x64.sys for version 1.43) that can result in information…

PriorityP182high7.8CVSS 3.0
AVLACLPRLUINSUCHIHAH
ITWVulnCheck KEVRansomware
Exploited in the wild
EPSS
0.38%
29.7th percentile
In CPUID CPU-Z through 1.81, there are improper access rights to a kernel-mode driver (e.g., cpuz143_x64.sys for version 1.43) that can result in information disclosure or elevation of privileges, because of an arbitrary read of any physical address via ioctl 0x9C402604. Any application running on the system (Windows), including sandboxed users, can issue an ioctl to this driver without any validation. Furthermore, the driver can map any physical page on the system and returns the allocated map page address to the user: that results in an information leak and EoP. NOTE: the vendor indicates that the arbitrary read itself is intentional behavior (for ACPI scan functionality); the security issue is the lack of an ACL.

Affected

1 ranges
VendorProductVersion rangeFixed in
cpuidcpu-z<= 1.81

Detection & IOCsextracted from sources · hover to see the quote

otherioctl 0x9C402604
filenamecpuz143_x64.sys
  • Monitor for unprivileged/sandboxed processes issuing IOCTL 0x9C402604 to the CPU-Z kernel driver (e.g., cpuz143_x64.sys); any process on the system can call this without validation.
  • Alert on the CPU-Z kernel driver mapping arbitrary physical pages and returning mapped addresses to user-mode — indicative of information disclosure or EoP exploitation.
  • Flag presence or loading of cpuz143_x64.sys (or equivalent versioned CPU-Z driver) on systems where CPU-Z is not an authorized tool, as it exposes a vulnerable IOCTL interface.
  • ·The vendor acknowledges the arbitrary physical memory read via IOCTL is intentional (for ACPI scan functionality); the vulnerability is specifically the absence of an ACL on the driver, meaning patching requires restricting driver access rights rather than removing the read capability.

CVSS provenance

nvdv3.07.8HIGHCVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.