CVE-2018-20029
📋 TL;DR
This vulnerability in NoMachine's DokanFS library allows local users on Windows 10 systems to cause a Blue Screen of Death (BSOD) denial of service by reading uninitialized memory in the nxfs.sys driver. The issue affects NoMachine installations on Windows 10 where the vulnerable driver is loaded. Only local authenticated users can trigger this condition.
💻 Affected Systems
- NoMachine
📦 What is this software?
Dokany by Dokan Dev
Nomachine by Nomachine
⚠️ Risk & Real-World Impact
Worst Case
System crashes with BSOD, causing service disruption and potential data loss if unsaved work exists. Repeated exploitation could lead to persistent availability issues.
Likely Case
Local user causes temporary system crash requiring reboot, disrupting productivity but not compromising data integrity or confidentiality.
If Mitigated
With proper patching, no impact beyond normal system operation.
🎯 Exploit Status
Exploitation requires local access to the Windows system. No evidence of public exploit code or widespread weaponization.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.4.6
Vendor Advisory: https://www.nomachine.com/TR11P08975
Restart Required: Yes
Instructions:
1. Download NoMachine version 6.4.6 or later from the official website. 2. Run the installer to upgrade your existing installation. 3. Restart the system to ensure the new driver loads properly.
🔧 Temporary Workarounds
Disable NoMachine Service
windowsTemporarily stop the NoMachine service to prevent the vulnerable driver from being loaded.
sc stop nomachine
sc config nomachine start= disabled
Remove Driver Loading
windowsPrevent the nxfs.sys driver from loading at system startup.
reg add "HKLM\SYSTEM\CurrentControlSet\Services\nomachine" /v Start /t REG_DWORD /d 4 /f
🧯 If You Can't Patch
- Restrict local user access to systems running vulnerable NoMachine versions
- Implement application whitelisting to prevent unauthorized execution of potential exploit code
🔍 How to Verify
Check if Vulnerable:
Check NoMachine version in Help > About. If version is earlier than 6.4.6, the system is vulnerable.Check Version:
"%ProgramFiles%\NoMachine\bin\nomachine.exe" --versionVerify Fix Applied:
Verify NoMachine version is 6.4.6 or later in Help > About. Check that nxfs.sys driver version has been updated.📡 Detection & Monitoring
Log Indicators:
- Windows System Event ID 41 (unexpected shutdown)
- Bugcheck codes in Windows Event Log
- NoMachine service crash logs
Network Indicators:
- Sudden loss of NoMachine connectivity followed by system reboot
SIEM Query:
EventID=41 AND Source="Microsoft-Windows-Kernel-Power" AND ComputerName CONTAINS "nomachine-host"