CVE-2021-44968 – This CVE describes a Use-After-Free vulnerabili... (How to Fix)

Q: What is the severity of CVE-2021-44968?

CVE-2021-44968 has a CVSS score of 7.8 (HIGH). This CVE describes a Use-After-Free vulnerability in IOBit Advanced SystemCare 15 Pro's kernel driver. Attackers can exploit it by sending specific IOCTL requests in sequence, potentially leading to arbitrary code execution with kernel privileges or system crashes. Users running the vulnerable software are affected.

📋 TL;DR

This CVE describes a Use-After-Free vulnerability in IOBit Advanced SystemCare 15 Pro's kernel driver. Attackers can exploit it by sending specific IOCTL requests in sequence, potentially leading to arbitrary code execution with kernel privileges or system crashes. Users running the vulnerable software are affected.

💻 Affected Systems

Products:

IOBit Advanced SystemCare 15 Pro

Versions: Versions up to and including vulnerable release (specific version unknown from CVE)

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Requires driver installation; standard users with local access can trigger the vulnerability.

📦 What is this software?

Advanced Systemcare by Iobit

View all CVEs affecting Advanced Systemcare →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local attacker gains kernel-level code execution, enabling complete system compromise, persistence, and bypass of security controls.

🟠

Likely Case

Local privilege escalation from standard user to SYSTEM/root, or denial of service causing system instability/crash.

🟢

If Mitigated

Attack fails due to lack of local access or security software blocking driver exploitation.

🌐 Internet-Facing: LOW - Requires local access to system; not directly exploitable over network.

🏢 Internal Only: HIGH - Local attackers (including malware or compromised accounts) can exploit this for privilege escalation.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploit requires local access and knowledge of specific IOCTL sequences; public research available in GitHub repository.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown - Check IOBit updates for Advanced SystemCare 15 Pro

Vendor Advisory: Not provided in CVE

Restart Required: Yes

Instructions:

1. Open Advanced SystemCare 15 Pro. 2. Check for updates in settings. 3. Install latest version. 4. Restart computer.

🔧 Temporary Workarounds

Disable or remove driver

windows

Uninstall Advanced SystemCare or disable its kernel driver to prevent exploitation.

sc stop iobitdriver
sc delete iobitdriver

Restrict driver access

windows

Use application control policies to block execution of vulnerable driver.

🧯 If You Can't Patch

Restrict local user access to systems running vulnerable software
Monitor for suspicious driver activity using EDR/sysmon

🔍 How to Verify

Check if Vulnerable:

Check if Advanced SystemCare 15 Pro is installed and driver loaded (e.g., driver query tools or check installed programs).

Check Version:

Check program version in Advanced SystemCare settings or Windows Programs list.

Verify Fix Applied:

Verify updated version is installed and driver version changed.

📡 Detection & Monitoring

Log Indicators:

Driver load events for iobit driver
Unusual IOCTL requests to driver
System crash logs

Network Indicators:

Not network exploitable

SIEM Query:

EventID=7045 ServiceName contains 'iobit' OR Driver load events with iobit signature

📊 Metadata

CVE ID: CVE-2021-44968

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-416

Published: February 18, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/Quadron-Research-Lab/Kernel_Driver_bugs/tree/main/iobit_advenced_system_care Exploit,Third Party Advisory
https://github.com/Quadron-Research-Lab/Kernel_Driver_bugs/tree/main/iobit_advenced_system_care Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-44968, you might also want to check these: