Skip to main content
CVE Vulnerability Database

CVE-2024-1853: Zemana AntiLogger DoS Vulnerability

CVE-2024-1853 is a denial of service flaw in Zemana AntiLogger v2.74.204.664 that allows arbitrary process termination via IOCTL code exploitation. This article covers technical details, affected versions, and mitigation.

Updated:

CVE-2024-1853 Overview

CVE-2024-1853 is an Arbitrary Process Termination vulnerability affecting Zemana AntiLogger v2.74.204.664. The vulnerability exists in the zam64.sys and zamguard64.sys kernel drivers, which can be exploited by triggering the 0x80002048 IOCTL code. This allows a local attacker with low privileges to terminate arbitrary processes on the system, leading to denial of service conditions.

Critical Impact

A local attacker can exploit vulnerable kernel drivers in Zemana AntiLogger to terminate critical system processes, potentially causing system instability or denial of service.

Affected Products

  • Zemana AntiLogger v2.74.204.664
  • zam64.sys driver
  • zamguard64.sys driver

Discovery Timeline

  • 2024-03-14 - CVE-2024-1853 published to NVD
  • 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2024-1853

Vulnerability Analysis

This vulnerability is classified under CWE-283 (Unverified Ownership), indicating that the affected drivers fail to properly verify that the calling process has appropriate ownership or authorization before performing privileged operations. The zam64.sys and zamguard64.sys kernel drivers expose an IOCTL interface that can be abused by unprivileged local users.

When a user sends a specially crafted request to the 0x80002048 IOCTL code, the driver does not adequately validate the caller's permissions or verify that the target process should be accessible to the requesting user. This architectural flaw allows any local user with basic system access to terminate processes running under higher privilege levels, including security software and system services.

Root Cause

The root cause of CVE-2024-1853 lies in insufficient access control within the Zemana AntiLogger kernel drivers. The IOCTL handler for code 0x80002048 lacks proper validation of:

  1. The caller's privilege level and authorization
  2. Ownership verification of the target process
  3. Whether the requested operation should be permitted for the calling user context

This represents a classic case of improper access control in kernel-mode drivers, where privileged operations are exposed without adequate security checks.

Attack Vector

The attack requires local access to the target system with low-level user privileges. An attacker can exploit this vulnerability by:

  1. Opening a handle to the vulnerable driver (zam64.sys or zamguard64.sys)
  2. Crafting a malicious IOCTL request with code 0x80002048
  3. Specifying a target process ID for termination
  4. Sending the request to the driver, which executes the termination without proper authorization checks

The vulnerability does not require user interaction and can be exploited programmatically. For detailed technical analysis, refer to the Fluid Attacks Advisory.

Detection Methods for CVE-2024-1853

Indicators of Compromise

  • Unexpected process terminations, particularly of security software or critical system services
  • Suspicious IOCTL calls to zam64.sys or zamguard64.sys drivers with code 0x80002048
  • Unusual DeviceIoControl API calls from non-Zemana processes targeting Zemana drivers
  • Process crash logs indicating forced termination of protected processes

Detection Strategies

  • Monitor for unusual access patterns to Zemana driver device objects
  • Implement process monitoring to detect unexpected termination of critical services
  • Use kernel-level monitoring to track IOCTL requests to vulnerable drivers
  • Deploy endpoint detection and response (EDR) solutions capable of detecting driver exploitation attempts

Monitoring Recommendations

  • Configure Windows Event Log monitoring for process termination events (Event ID 4689) with unusual patterns
  • Implement Sysmon rules to track DeviceIoControl calls to Zemana drivers
  • Monitor for privilege escalation attempts that may precede exploitation
  • Enable driver load auditing to detect any modifications to the vulnerable drivers

How to Mitigate CVE-2024-1853

Immediate Actions Required

  • Review systems for installations of Zemana AntiLogger v2.74.204.664 and consider removal or replacement
  • Restrict local user access to systems running the vulnerable software
  • Implement application whitelisting to prevent unauthorized programs from accessing the vulnerable drivers
  • Monitor for exploitation attempts using endpoint security solutions

Patch Information

At the time of this advisory, specific patch information from Zemana was not available in the vulnerability data. Organizations should monitor the Zemana AntiLogger product page for security updates and apply any available patches as they become released. Contact Zemana support directly for guidance on remediation options.

Workarounds

  • Consider temporarily uninstalling Zemana AntiLogger until a patch is available
  • Implement strict access controls to limit which users can execute programs that interact with kernel drivers
  • Use Device Guard or Windows Defender Application Control (WDAC) policies to restrict driver access
  • Deploy compensating controls through endpoint protection platforms to detect and block exploitation attempts
  • Segment systems running the vulnerable software from critical infrastructure
bash
# Check for installed vulnerable drivers
sc query zam64
sc query zamguard64

# If vulnerable, consider stopping the service (may require reboot)
# Note: This will disable Zemana AntiLogger functionality
sc stop zam64
sc config zam64 start= disabled

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.