Very Low
CVE-2024-43452
Very Low
(1 user assessed)
Very Low
(1 user assessed)Unknown
Unknown
Unknown
CVE-2024-43452
Add Assessment
Technical Analysis
This seems like a really fascinating exploit from the point of view of a researcher, but an utter and complete nightmare for an attacker.
The core of this exploit is that when Windows reads a registry hive file, it checks the size, allocates memory in chunks, and reads the data into memory. If the host is under memory pressure, it might free a chunk of the file in memory if it is not currently being used, but then when that chunk is required again, it rereads the chunk in question from disk- without checking if it has changed size.
The weaponization of this attack requires a windows host to open a hive file hosted on an SMB server that the attacker has total control over. In the PoCs case, it was a SAMBA share running impacket. An attacker cannot just run a script on a normal SMB host as the host must serve a different version of the file as a race condition and rely on the target also being under memory pressure and having a specific memory layout. The file in question is 2GB.
Again, this is fascinating from a research perspective, but if an attacker has an SMB server running that your hosts can access readily and if an attacker can execute any arbitrary command as a low-level user, this is still not in the first 25 attacks they will reach for. The researchers claim that the “works reliably, but the vulnerability is highly dependant [sic] on the system memory consumption/layout, so if it doesn’t reproduce on the first try, it is recommended to try again, check the extent of memory usage (e.g. in Task Manager), and potentially try to fine-tune the amount of physical memory assigned to the VM.” This sounds suspiciously like BLUEKEEP, where we could always get reliable execution if we did a memory analysis on the remote computer to get the offsets we needed since they were likely to change depending on the host’s memory size, hypervisor, and what applications were running at the time.
In closing, I don’t want to disparage the researchers here; I argued that based on themebleed and other SMB-server attacks, we would see an increased use of SMB servers to control how targets interacted with file systems, and this is a new novel attack vector we should look at, but if an attacker has the ability to use this attack in your environment, they’re going to use another exploit.
Defenders should look to mitigate this by policing SMB shares on the network and blocking access to unknown SMB shares. A targeted approach to just this exploit would be to have HIDS trigger on the act of loading a registry hive- something incredibly few users will do in day-to-day basis.
CVSS V3 Severity and Metrics
General Information
Vendors
- microsoft
Products
- windows 10 1809,
- windows 10 21h2,
- windows 10 22h2,
- windows 11 22h2,
- windows 11 23h2,
- windows 11 24h2,
- windows server 2008 -,
- windows server 2019,
- windows server 2022,
- windows server 2022 23h2,
- windows server 2025
