CVE-2024-1853 Overview
CVE-2024-1853 is an Arbitrary Process Termination vulnerability affecting Zemana AntiLogger v2.74.204.664. The vulnerability exists in the zam64.sys and zamguard64.sys kernel drivers, which can be exploited by triggering the 0x80002048 IOCTL code. This allows a local attacker with low privileges to terminate arbitrary processes on the system, leading to denial of service conditions.
Critical Impact
A local attacker can exploit vulnerable kernel drivers in Zemana AntiLogger to terminate critical system processes, potentially causing system instability or denial of service.
Affected Products
- Zemana AntiLogger v2.74.204.664
- zam64.sys driver
- zamguard64.sys driver
Discovery Timeline
- 2024-03-14 - CVE-2024-1853 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2024-1853
Vulnerability Analysis
This vulnerability is classified under CWE-283 (Unverified Ownership), indicating that the affected drivers fail to properly verify that the calling process has appropriate ownership or authorization before performing privileged operations. The zam64.sys and zamguard64.sys kernel drivers expose an IOCTL interface that can be abused by unprivileged local users.
When a user sends a specially crafted request to the 0x80002048 IOCTL code, the driver does not adequately validate the caller's permissions or verify that the target process should be accessible to the requesting user. This architectural flaw allows any local user with basic system access to terminate processes running under higher privilege levels, including security software and system services.
Root Cause
The root cause of CVE-2024-1853 lies in insufficient access control within the Zemana AntiLogger kernel drivers. The IOCTL handler for code 0x80002048 lacks proper validation of:
- The caller's privilege level and authorization
- Ownership verification of the target process
- Whether the requested operation should be permitted for the calling user context
This represents a classic case of improper access control in kernel-mode drivers, where privileged operations are exposed without adequate security checks.
Attack Vector
The attack requires local access to the target system with low-level user privileges. An attacker can exploit this vulnerability by:
- Opening a handle to the vulnerable driver (zam64.sys or zamguard64.sys)
- Crafting a malicious IOCTL request with code 0x80002048
- Specifying a target process ID for termination
- Sending the request to the driver, which executes the termination without proper authorization checks
The vulnerability does not require user interaction and can be exploited programmatically. For detailed technical analysis, refer to the Fluid Attacks Advisory.
Detection Methods for CVE-2024-1853
Indicators of Compromise
- Unexpected process terminations, particularly of security software or critical system services
- Suspicious IOCTL calls to zam64.sys or zamguard64.sys drivers with code 0x80002048
- Unusual DeviceIoControl API calls from non-Zemana processes targeting Zemana drivers
- Process crash logs indicating forced termination of protected processes
Detection Strategies
- Monitor for unusual access patterns to Zemana driver device objects
- Implement process monitoring to detect unexpected termination of critical services
- Use kernel-level monitoring to track IOCTL requests to vulnerable drivers
- Deploy endpoint detection and response (EDR) solutions capable of detecting driver exploitation attempts
Monitoring Recommendations
- Configure Windows Event Log monitoring for process termination events (Event ID 4689) with unusual patterns
- Implement Sysmon rules to track DeviceIoControl calls to Zemana drivers
- Monitor for privilege escalation attempts that may precede exploitation
- Enable driver load auditing to detect any modifications to the vulnerable drivers
How to Mitigate CVE-2024-1853
Immediate Actions Required
- Review systems for installations of Zemana AntiLogger v2.74.204.664 and consider removal or replacement
- Restrict local user access to systems running the vulnerable software
- Implement application whitelisting to prevent unauthorized programs from accessing the vulnerable drivers
- Monitor for exploitation attempts using endpoint security solutions
Patch Information
At the time of this advisory, specific patch information from Zemana was not available in the vulnerability data. Organizations should monitor the Zemana AntiLogger product page for security updates and apply any available patches as they become released. Contact Zemana support directly for guidance on remediation options.
Workarounds
- Consider temporarily uninstalling Zemana AntiLogger until a patch is available
- Implement strict access controls to limit which users can execute programs that interact with kernel drivers
- Use Device Guard or Windows Defender Application Control (WDAC) policies to restrict driver access
- Deploy compensating controls through endpoint protection platforms to detect and block exploitation attempts
- Segment systems running the vulnerable software from critical infrastructure
# Check for installed vulnerable drivers
sc query zam64
sc query zamguard64
# If vulnerable, consider stopping the service (may require reboot)
# Note: This will disable Zemana AntiLogger functionality
sc stop zam64
sc config zam64 start= disabled
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
