CVE-2024-37985 Overview
CVE-2024-37985 is a Windows Kernel Information Disclosure vulnerability affecting ARM64-based Windows 11 systems. This vulnerability allows a local attacker with low privileges to potentially disclose sensitive kernel memory information. The vulnerability is classified under CWE-1037, which relates to processor optimization removal or modification of security-critical code, suggesting this may be related to speculative execution side-channel attacks or similar processor-level vulnerabilities.
Critical Impact
Local attackers with low privileges can exploit this vulnerability to leak sensitive kernel memory information, potentially exposing cryptographic keys, credentials, or other security-sensitive data from across security boundaries.
Affected Products
- Microsoft Windows 11 22H2 (ARM64)
- Microsoft Windows 11 23H2 (ARM64)
Discovery Timeline
- September 17, 2024 - CVE-2024-37985 published to NVD
- September 29, 2024 - Last updated in NVD database
Technical Details for CVE-2024-37985
Vulnerability Analysis
This vulnerability exists within the Windows kernel on ARM64 architecture systems. The classification under CWE-1037 (Processor Optimization Removal or Modification of Security-Critical Code) indicates this is likely a hardware-software interaction vulnerability where processor optimizations can be exploited to leak information across security boundaries.
The vulnerability requires local access to exploit, meaning an attacker must already have some level of access to the target system. While the attack complexity is high, successful exploitation can result in disclosure of high-confidentiality information from kernel memory space. The scope is changed, meaning the vulnerability can impact resources beyond the vulnerable component's security scope—potentially allowing user-mode processes to access kernel-mode memory contents.
Root Cause
The root cause appears to be related to processor optimization behaviors on ARM64 architecture that can be exploited to bypass normal memory isolation mechanisms. This classification (CWE-1037) is commonly associated with speculative execution vulnerabilities where the processor's performance optimizations inadvertently create side channels that leak memory contents.
On ARM64 processors, these vulnerabilities can manifest through various microarchitectural behaviors including branch prediction, speculative loads, or cache timing attacks that allow inferring kernel memory contents from user space.
Attack Vector
The attack vector is local, requiring the attacker to execute code on the target system. The exploitation involves:
- Initial Access: Attacker gains local user-level access to a Windows 11 ARM64 system
- Exploitation Setup: Attacker prepares code to manipulate processor speculation or cache state
- Side-Channel Execution: Malicious code triggers the vulnerable kernel code path while observing timing or cache state changes
- Information Extraction: Sensitive kernel memory contents are inferred through the side channel, potentially including credentials, cryptographic keys, or memory layout information
The attack crosses security boundaries (changed scope), meaning kernel memory that should be isolated from user processes becomes accessible through the exploitation technique.
Detection Methods for CVE-2024-37985
Indicators of Compromise
- Unusual CPU performance counter access patterns from user-mode applications
- Suspicious processes repeatedly accessing timing or cache measurement mechanisms
- Abnormal kernel memory access patterns or page fault behaviors
- Processes exhibiting characteristics of side-channel attack tools or frameworks
Detection Strategies
- Monitor for processes using high-resolution timers or performance counters in unusual patterns
- Implement behavioral detection for known side-channel attack techniques targeting ARM64 processors
- Deploy endpoint detection rules that identify memory probing behaviors characteristic of speculative execution attacks
- Utilize SentinelOne's kernel-level monitoring to detect suspicious memory access patterns
Monitoring Recommendations
- Enable enhanced Windows Event logging for kernel-level activities on ARM64 systems
- Monitor for newly installed drivers or kernel extensions that could facilitate exploitation
- Track process behaviors that indicate attempts to measure cache timing or memory access latency
- Implement SentinelOne Singularity Platform for real-time kernel activity monitoring and threat detection
How to Mitigate CVE-2024-37985
Immediate Actions Required
- Apply the latest Windows security updates from Microsoft immediately
- Prioritize patching all Windows 11 ARM64 systems (22H2 and 23H2 versions)
- Review systems for signs of exploitation before patching
- Enable all available microarchitectural security mitigations through Windows Security settings
Patch Information
Microsoft has released security updates to address this vulnerability. The official security guidance and patches are available through the Microsoft Security Update Guide. Organizations should apply the September 2024 security updates to all affected Windows 11 ARM64 systems.
The patch likely includes kernel-level mitigations to prevent the exploitation of processor optimization behaviors that enable the information disclosure.
Workarounds
- Limit local access to ARM64 Windows 11 systems to trusted users only
- Implement application control policies to prevent execution of unauthorized code
- Consider enabling additional speculative execution mitigations if available through registry settings
- Monitor affected systems closely until patches can be applied
# Verify Windows 11 ARM64 patch status using PowerShell
# Check for installed security updates
Get-HotFix | Where-Object {$_.InstalledOn -gt (Get-Date).AddDays(-30)} | Format-Table -AutoSize
# Verify system architecture and version
Get-ComputerInfo | Select-Object OsArchitecture, OsVersion, WindowsVersion
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
