CVE-2024-10972
📋 TL;DR
This vulnerability allows an attacker with administrative privileges to cause a Blue Screen of Death (BSOD) by manipulating memory access rights during WinPmem's operation. It affects users of Velocidex WinPmem version 4.1 and below who run the tool with admin privileges. The issue stems from improper input validation that allows user-space changes to page permissions mid-routine.
💻 Affected Systems
- Velocidex WinPmem
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system crash (BSOD) leading to denial of service, potential data loss from unsaved work, and disruption of forensic/memory analysis operations.
Likely Case
Targeted BSOD attacks against systems where WinPmem is running with admin privileges, causing temporary service disruption during incident response or forensic investigations.
If Mitigated
Minimal impact if proper access controls prevent unauthorized users from running WinPmem or if the tool is only used in controlled forensic environments.
🎯 Exploit Status
Requires admin access and ability to run parallel threads during WinPmem operation. Exploitation requires specific timing conditions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v4.1.dev1
Vendor Advisory: https://github.com/Velocidex/WinPmem/releases/tag/v4.1.dev1
Restart Required: No
Instructions:
1. Download v4.1.dev1 from GitHub releases. 2. Replace existing WinPmem binaries with patched version. 3. No restart required as this is a user-space tool.
🔧 Temporary Workarounds
Restrict WinPmem Usage
windowsImplement policy to only allow WinPmem execution during authorized incident response operations with proper oversight.
Use Windows AppLocker or similar to restrict winpmem.sys driver loading
Implement least privilege principles for forensic tools
🧯 If You Can't Patch
- Implement strict access controls to prevent unauthorized users from running WinPmem with admin privileges.
- Monitor for unauthorized loading of winpmem.sys driver outside of approved incident response activities.
🔍 How to Verify
Check if Vulnerable:
Check WinPmem version: if version is 4.1 or below, system is vulnerable when tool is run with admin privileges.Check Version:
winpmem.exe --version or check file properties of winpmem.sysVerify Fix Applied:
Verify WinPmem version is v4.1.dev1 or higher. Test memory acquisition functionality to ensure no BSOD occurs during normal operation.📡 Detection & Monitoring
Log Indicators:
- Event ID 7045: Service winpmem installed
- Driver load events for winpmem.sys
- Unexpected BSOD events following WinPmem execution
Network Indicators:
- Typically none - local tool execution
SIEM Query:
source="windows" (event_id=7045 AND service_name="winpmem") OR (driver_name="winpmem.sys")