CVE-2024-12659
📋 TL;DR
This vulnerability in IObit Advanced SystemCare Ultimate allows local attackers to trigger a null pointer dereference in the AscRegistryFilter.sys driver via a specific IOCTL handler. This can cause denial of service (system crash/BSOD) on affected systems. Only users running vulnerable versions of this software are impacted.
💻 Affected Systems
- IObit Advanced SystemCare Ultimate
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
System crash/Blue Screen of Death (BSOD) leading to denial of service and potential data loss from unsaved work.
Likely Case
Local denial of service causing system instability or crash, requiring reboot.
If Mitigated
No impact if software is patched or workarounds are implemented.
🎯 Exploit Status
Exploit code has been publicly disclosed. Requires local execution privileges to trigger the IOCTL.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: None available
Restart Required: No
Instructions:
No official patch available. Monitor IObit's website for updates to Advanced SystemCare Ultimate beyond version 17.0.0.
🔧 Temporary Workarounds
Uninstall or disable Advanced SystemCare Ultimate
windowsRemove the vulnerable software to eliminate the attack surface.
Control Panel > Programs > Uninstall a program > Select IObit Advanced SystemCare Ultimate > Uninstall
Restrict access to AscRegistryFilter.sys driver
windowsUse Windows security policies to deny execute permissions on the vulnerable driver file.
icacls "C:\Windows\System32\drivers\AscRegistryFilter.sys" /deny Everyone:(RX)
🧯 If You Can't Patch
- Implement strict local access controls and privilege separation to limit who can execute code on affected systems.
- Monitor for crash dumps or system instability events that might indicate exploitation attempts.
🔍 How to Verify
Check if Vulnerable:
Check if AscRegistryFilter.sys driver is present in C:\Windows\System32\drivers\ and verify Advanced SystemCare Ultimate version is 17.0.0 or earlier.Check Version:
Check program version in Control Panel > Programs > IObit Advanced SystemCare Ultimate, or run: wmic product where name="Advanced SystemCare Ultimate" get versionVerify Fix Applied:
Confirm AscRegistryFilter.sys driver is removed or blocked, or software is updated beyond version 17.0.0.📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs showing system crashes (Event ID 41), driver failures, or unexpected reboots.
- Application logs indicating Advanced SystemCare Ultimate driver issues.
Network Indicators:
- None - this is a local vulnerability with no network component.
SIEM Query:
EventID=41 OR (Source="System" AND EventID=7031) AND Message contains "AscRegistryFilter"🔗 References
- https://shareforall.notion.site/IOBit-Advanced-SystemCare-Utimate-AscRegistryFilter-0x8001E004-NPD-DOS-15160437bb1e804cbe8fd4d826f8564f
- https://vuldb.com/?ctiid.288528
- https://vuldb.com/?id.288528
- https://vuldb.com/?submit.456038
- https://shareforall.notion.site/IOBit-Advanced-SystemCare-Utimate-AscRegistryFilter-0x8001E004-NPD-DOS-15160437bb1e804cbe8fd4d826f8564f
