CVE-2023-43896 – A buffer overflow vulnerability in Macrium Refl... (How to Fix)

Q: What is the severity of CVE-2023-43896?

CVE-2023-43896 has a CVSS score of 7.8 (HIGH). A buffer overflow vulnerability in Macrium Reflect backup software allows attackers to escalate privileges or execute arbitrary code. This affects users running Macrium Reflect 8.1.7544 and earlier versions on Windows systems. Successful exploitation could lead to complete system compromise.

📋 TL;DR

A buffer overflow vulnerability in Macrium Reflect backup software allows attackers to escalate privileges or execute arbitrary code. This affects users running Macrium Reflect 8.1.7544 and earlier versions on Windows systems. Successful exploitation could lead to complete system compromise.

💻 Affected Systems

Products:

Macrium Reflect

Versions: 8.1.7544 and earlier

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of affected versions are vulnerable. The vulnerability exists in a driver component.

📦 What is this software?

Reflect by Macrium

View all CVEs affecting Reflect →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with SYSTEM/root privileges, enabling installation of persistent malware, data theft, or ransomware deployment.

🟠

Likely Case

Local privilege escalation allowing attackers to bypass security controls and gain administrative access to the system.

🟢

If Mitigated

Limited impact if proper endpoint protection, application whitelisting, and least privilege principles are enforced.

🌐 Internet-Facing: LOW - This is primarily a local privilege escalation vulnerability requiring local access to exploit.

🏢 Internal Only: HIGH - Attackers with initial access to a system can escalate privileges to compromise the entire machine and potentially move laterally.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires local access to the system. Public technical details and proof-of-concept code are available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.1.7545 and later

Vendor Advisory: https://knowledgebase.macrium.com/display/KNOW80/CVE-2023-43896+Advisory

Restart Required: Yes

Instructions:

1. Download latest Macrium Reflect from official website. 2. Run installer. 3. Follow installation prompts. 4. Restart system when prompted.

🔧 Temporary Workarounds

Uninstall Macrium Reflect

windows

Remove vulnerable software entirely if not needed

Control Panel > Programs > Uninstall a program > Select Macrium Reflect > Uninstall

Restrict driver loading

windows

Use Windows security policies to restrict loading of vulnerable driver

Use Group Policy: Computer Configuration > Windows Settings > Security Settings > System Services > Configure driver start type

🧯 If You Can't Patch

Implement application control/whitelisting to prevent execution of unauthorized binaries
Enforce least privilege principles and remove local administrator rights from standard users

🔍 How to Verify

Check if Vulnerable:

Check Macrium Reflect version in Help > About or Programs and Features

Check Version:

wmic product where name="Macrium Reflect" get version

Verify Fix Applied:

Verify version is 8.1.7545 or later in Help > About

📡 Detection & Monitoring

Log Indicators:

Unusual process creation from Macrium Reflect components
Driver loading events for Macrium drivers
Privilege escalation attempts

Network Indicators:

Outbound connections from Macrium processes to suspicious destinations

SIEM Query:

Process Creation where Image contains "reflect" OR Driver Load where DriverName contains "macrium"

📊 Metadata

CVE ID: CVE-2023-43896

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-120

Published: October 10, 2023

Last Updated: November 21, 2024

🔗 References

http://macrium.com Product
https://knowledgebase.macrium.com/display/KNOW80/CVE-2023-43896+Advisory
https://northwave-cybersecurity.com/vulnerability-notice/macrium-reflect-driver-out-of-bounds-write Exploit,Third Party Advisory
http://macrium.com Product
https://knowledgebase.macrium.com/display/KNOW80/CVE-2023-43896+Advisory
https://northwave-cybersecurity.com/vulnerability-notice/macrium-reflect-driver-out-of-bounds-write Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-43896, you might also want to check these: