CVE-2024-45383 Overview
A mishandling of IRP (I/O Request Packet) requests vulnerability exists in the HDAudBus_DMA interface of Microsoft High Definition Audio Bus Driver. This driver vulnerability allows a locally authenticated attacker to trigger a denial-of-service condition by issuing multiple IRP Complete requests through a specially crafted application. The vulnerability is classified under CWE-664 (Improper Control of a Resource Through its Lifetime), indicating issues with how the driver manages resource lifecycle operations.
Critical Impact
Local attackers can execute a malicious application to crash the audio subsystem, causing system instability and denial of service on affected Windows systems.
Affected Products
- Microsoft High Definition Audio Bus Driver version 10.0.19041.3636
- Windows systems running the affected HDAudBus driver version
- Systems with WinBuild.160101.0800 build configuration
Discovery Timeline
- September 12, 2024 - CVE-2024-45383 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2024-45383
Vulnerability Analysis
The vulnerability resides in the HDAudBus_DMA interface of the Microsoft High Definition Audio Bus Driver. The core issue involves improper handling of IRP Complete requests, which are fundamental to Windows kernel-mode driver operations. When a driver receives an I/O request, it must properly manage the lifecycle of that request through completion. In this case, the driver fails to properly validate or track IRP completion states, allowing an attacker to submit multiple completion requests for the same IRP.
This improper resource control vulnerability (CWE-664) manifests when the driver does not adequately synchronize or validate IRP completion operations. The HDAudBus_DMA interface, responsible for Direct Memory Access operations in the audio subsystem, becomes the attack surface for this exploitation.
Root Cause
The root cause is improper control of resource lifecycle management within the HDAudBus_DMA interface. The driver fails to implement proper state tracking for IRP requests, allowing multiple IRP Complete operations to be issued against the same request. This indicates a lack of proper reference counting or state validation in the driver's IRP handling logic. When multiple completion requests are processed for a single IRP, the driver enters an inconsistent state leading to system instability.
Attack Vector
The attack requires local access to the target system with low privileges, though user interaction is needed to execute the malicious payload. An attacker must craft a malicious application that:
- Opens a handle to the HDAudBus driver interface
- Initiates I/O operations through the HDAudBus_DMA interface
- Issues multiple IRP Complete requests in rapid succession
- Exploits the improper resource handling to trigger a denial-of-service condition
The attack leverages standard Windows kernel I/O interfaces to interact with the vulnerable driver component. No network access is required, making this a local-only attack vector.
For detailed technical analysis, refer to the Talos Intelligence Vulnerability Report.
Detection Methods for CVE-2024-45383
Indicators of Compromise
- Unexpected audio subsystem crashes or failures on Windows systems
- System event logs showing hdaudbus.sys driver errors or blue screen of death (BSOD) events
- Unusual application activity attempting to interact with audio driver interfaces
- Repeated audio device disconnection and reconnection events
Detection Strategies
- Monitor Windows Event Logs for driver-related errors in the hdaudbus.sys component
- Deploy endpoint detection rules to identify applications making excessive IRP requests to audio driver interfaces
- Configure system monitoring to alert on unexpected audio subsystem restarts or failures
- Implement SentinelOne behavioral AI to detect anomalous application interactions with kernel-mode drivers
Monitoring Recommendations
- Enable Windows Driver Framework (WDF) logging for audio drivers to capture abnormal IRP patterns
- Monitor process behavior for applications that spawn and rapidly interact with audio device handles
- Review system stability reports for recurring audio driver-related crashes
- Implement kernel-mode driver monitoring through endpoint protection platforms
How to Mitigate CVE-2024-45383
Immediate Actions Required
- Verify the version of the Microsoft High Definition Audio Bus Driver installed on affected systems
- Restrict execution of untrusted applications on systems with the vulnerable driver version
- Monitor for unusual audio driver behavior until patches are applied
- Apply the principle of least privilege to limit local user access where possible
Patch Information
Organizations should monitor Microsoft security updates for patches addressing the High Definition Audio Bus Driver vulnerability. The affected driver version is 10.0.19041.3636. Contact Microsoft Support or check Windows Update for the latest driver versions that address this vulnerability.
For additional technical details and updates, consult the Talos Intelligence Vulnerability Report.
Workarounds
- Implement application whitelisting to prevent execution of untrusted applications
- Use Windows Defender Application Control (WDAC) policies to restrict which applications can interact with driver interfaces
- Consider temporarily disabling non-essential audio functionality on critical systems until patched
- Deploy SentinelOne endpoint protection to detect and prevent exploitation attempts through behavioral analysis
# Verify installed audio driver version using PowerShell
Get-WmiObject Win32_PnPSignedDriver | Where-Object {$_.DeviceName -like "*High Definition Audio*"} | Select-Object DeviceName, DriverVersion
# Check driver file version
Get-Item C:\Windows\System32\drivers\hdaudbus.sys | Select-Object VersionInfo
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
