CVE-2024-45181 Overview
CVE-2024-45181 is a kernel memory corruption vulnerability in the WibuKey64.sys driver shipped with WIBU-SYSTEMS WibuKey before v6.70. An improper bounds check in the driver allows crafted IOCTL packets to trigger an arbitrary address write in kernel memory. A local authenticated attacker can exploit this flaw to corrupt kernel structures and escalate privileges on affected Windows hosts. The vulnerability is classified under [CWE-787] Out-of-Bounds Write and [CWE-119] Improper Restriction of Operations within the Bounds of a Memory Buffer. WIBU-SYSTEMS addressed the issue in WibuKey v6.70.
Critical Impact
Local privilege escalation through arbitrary kernel memory writes leading to full system compromise on Windows endpoints running vulnerable WibuKey driver versions.
Affected Products
- WIBU-SYSTEMS WibuKey versions prior to v6.70
- WibuKey64.sys kernel driver
- Microsoft Windows hosts with the vulnerable driver installed
Discovery Timeline
- 2024-09-12 - CVE-2024-45181 published to NVD
- 2024-09-18 - Last updated in NVD database
Technical Details for CVE-2024-45181
Vulnerability Analysis
The vulnerability resides in WibuKey64.sys, a kernel-mode driver that handles licensing and copy-protection requests from user-mode components. The driver exposes an IOCTL interface accessible to local users. When the driver processes crafted input packets, it fails to validate buffer boundaries before writing to memory addresses derived from user-controlled data. This results in an arbitrary kernel address write primitive. An attacker holding low-privilege local access can issue malicious IOCTL requests to corrupt kernel objects, hijack control flow, or overwrite security tokens to gain SYSTEM privileges.
Root Cause
The root cause is an improper bounds check on attacker-supplied data during IOCTL packet handling. The driver trusts size or offset fields from the request buffer without validating that the resulting write falls within an allocated, intended memory region. This classic [CWE-787] out-of-bounds write pattern in a kernel driver elevates the impact from a memory corruption bug to a kernel compromise primitive.
Attack Vector
Exploitation requires local access with low privileges on a Windows system where the WibuKey driver is loaded. No user interaction is required. The attacker opens a handle to the driver device object and submits a crafted DeviceIoControl request whose payload triggers the arbitrary write. Typical post-exploitation steps include overwriting the Token pointer in the current process's EPROCESS structure with that of a SYSTEM process, granting full administrative control. Refer to the WIBU Security Advisory WIBU-94453 for vendor-supplied technical details.
Detection Methods for CVE-2024-45181
Indicators of Compromise
- Presence of WibuKey64.sys with a file version lower than 6.70 on Windows endpoints
- Unexpected loading of the WibuKey driver by non-licensing processes
- Windows kernel bugchecks such as KMODE_EXCEPTION_NOT_HANDLED or PAGE_FAULT_IN_NONPAGED_AREA referencing WibuKey64.sys
- Unprivileged processes acquiring SYSTEM tokens shortly after opening a handle to the WibuKey device
Detection Strategies
- Inventory all hosts for WibuKey64.sys and compare file versions against the patched 6.70 baseline
- Hunt for DeviceIoControl activity targeting WibuKey device names from non-licensing or unsigned binaries
- Alert on token manipulation patterns where a low-integrity process inherits a SYSTEM token without a parent process transition
- Monitor for crash dumps and Event ID 1001 entries naming the WibuKey driver
Monitoring Recommendations
- Enable kernel driver load auditing and forward Sysmon Event ID 6 to a centralized log platform
- Track process privilege changes through Windows Event ID 4672 correlated with handles to WibuKey devices
- Maintain an allowlist of expected processes that interact with the WibuKey driver and alert on deviations
How to Mitigate CVE-2024-45181
Immediate Actions Required
- Upgrade WibuKey to version 6.70 or later on all affected Windows hosts
- Identify systems where WibuKey is installed but no longer required and remove the software entirely
- Restrict local logon rights to trusted administrators on systems that cannot be patched immediately
- Apply application allowlisting to block untrusted binaries from issuing IOCTLs to the WibuKey driver
Patch Information
WIBU-SYSTEMS released WibuKey v6.70 to correct the bounds check in WibuKey64.sys. Patch details and downloads are available through the WIBU Security Advisory WIBU-94453 and the WIBU Official Website. Administrators should validate driver version 6.70 or higher after deployment.
Workarounds
- Disable or unload the WibuKey64.sys driver on systems that do not require WibuKey-protected applications
- Limit interactive and remote local access to reduce the pool of users capable of invoking the vulnerable IOCTL
- Use Windows Defender Application Control or AppLocker policies to prevent unauthorized processes from opening handles to the WibuKey device
# Verify installed WibuKey driver version on Windows
powershell -Command "Get-Item 'C:\Windows\System32\drivers\WibuKey64.sys' | Select-Object -ExpandProperty VersionInfo"
# Stop and disable the WibuKey service if WibuKey is not required
sc.exe stop WibuKey
sc.exe config WibuKey start= disabled
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
