CVE-2024-21922
📋 TL;DR
This DLL hijacking vulnerability in AMD StoreMI allows attackers to place malicious DLLs in directories where the software searches for them, enabling privilege escalation to SYSTEM-level access. It affects Windows systems running vulnerable AMD StoreMI versions. Successful exploitation could lead to complete system compromise.
💻 Affected Systems
- AMD StoreMI
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attacker gains SYSTEM privileges and executes arbitrary code, potentially installing persistent malware, stealing credentials, or compromising the entire system.
Likely Case
Local attacker with limited privileges escalates to SYSTEM to install backdoors, ransomware, or credential harvesting tools.
If Mitigated
With proper file permissions and application whitelisting, exploitation requires administrative access, reducing impact to authorized users only.
🎯 Exploit Status
DLL hijacking is a well-known attack vector requiring local access. No public exploit code has been released as of the advisory date.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: AMD StoreMI 3.0.0.111
Vendor Advisory: https://www.amd.com/en/resources/product-security/bulletin/amd-sb-4010.html
Restart Required: Yes
Instructions:
1. Download AMD StoreMI 3.0.0.111 from AMD's official website. 2. Uninstall previous versions. 3. Install the updated version. 4. Restart the system.
🔧 Temporary Workarounds
Restrict DLL search path permissions
windowsSet strict permissions on directories where AMD StoreMI searches for DLLs to prevent unauthorized file placement.
icacls "C:\Program Files\AMD\StoreMI" /deny Everyone:(OI)(CI)(W)
Remove vulnerable software
windowsUninstall AMD StoreMI if not required for system functionality.
appwiz.cpl
Select AMD StoreMI and click Uninstall
🧯 If You Can't Patch
- Remove AMD StoreMI from critical systems
- Implement application whitelisting to prevent unauthorized DLL execution
🔍 How to Verify
Check if Vulnerable:
Check AMD StoreMI version in Control Panel > Programs and Features. If version is earlier than 3.0.0.111, the system is vulnerable.Check Version:
wmic product where name="AMD StoreMI" get versionVerify Fix Applied:
Verify AMD StoreMI version shows 3.0.0.111 or later after update.📡 Detection & Monitoring
Log Indicators:
- Windows Event ID 4688 showing AMD StoreMI processes loading DLLs from unusual locations
- Sysmon Event ID 7 (Image loaded) for AMD StoreMI loading unexpected DLLs
Network Indicators:
- No network indicators - this is a local privilege escalation
SIEM Query:
source="windows" AND (event_id=4688 OR event_id=7) AND process_name="*StoreMI*" AND (dll_loaded="*\Temp\*" OR dll_loaded="*\Users\*\*" OR dll_loaded="*\Public\*")