CVE-2024-23440 – Vba32 Antivirus v3.36.0 contains a driver vulne... (How to Fix)

📋 TL;DR

Vba32 Antivirus v3.36.0 contains a driver vulnerability that allows attackers to read arbitrary kernel memory. This affects all systems running the vulnerable antivirus software, potentially exposing sensitive system information.

💻 Affected Systems

Products:

Vba32 Antivirus

Versions: v3.36.0

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Requires administrator privileges to load the vulnerable driver, but standard users can exploit it once loaded.

📦 What is this software?

Vba32 by Anti Virus

View all CVEs affecting Vba32 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Kernel memory disclosure could lead to privilege escalation, credential theft, or system compromise by revealing sensitive kernel structures and pointers.

🟠

Likely Case

Information disclosure of kernel memory contents, potentially exposing system configuration, process data, or other sensitive information.

🟢

If Mitigated

Limited information disclosure with no direct code execution, though leaked information could aid further attacks.

🌐 Internet-Facing: LOW - Requires local access to the system to exploit the driver vulnerability.

🏢 Internal Only: MEDIUM - Malicious insiders or compromised accounts could exploit this to gather system information for privilege escalation.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires local access and knowledge of IOCTL handling, but the vulnerability is straightforward to trigger.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.anti-virus.by/vba32

Restart Required: No

Instructions:

1. Check vendor website for updated version
2. Uninstall v3.36.0
3. Install latest version if available
4. Monitor vendor communications for security updates

🔧 Temporary Workarounds

Disable Vba32 Antivirus

windows

Temporarily disable or uninstall the vulnerable antivirus software

sc stop Vba32Service
sc delete Vba32Service

Restrict Driver Access

windows

Set restrictive ACLs on the Vba32m64.sys driver file

icacls "C:\Windows\System32\drivers\Vba32m64.sys" /deny Everyone:(R,W,X)

🧯 If You Can't Patch

Implement strict access controls to prevent unauthorized users from running code on affected systems
Monitor for suspicious IOCTL calls to the Vba32 driver using security monitoring tools

🔍 How to Verify

Check if Vulnerable:

Check if Vba32 Antivirus version 3.36.0 is installed and Vba32m64.sys driver is loaded

Check Version:

wmic product where name="Vba32 Antivirus" get version

Verify Fix Applied:

Verify Vba32 Antivirus is updated to a version later than 3.36.0 or completely removed

📡 Detection & Monitoring

Log Indicators:

Driver load events for Vba32m64.sys
IOCTL calls with code 0x22200B

Network Indicators:

No network indicators - local vulnerability only

SIEM Query:

EventID=6 OR EventID=7 AND DriverName="Vba32m64.sys" OR ProcessName contains "vba32"

📊 Metadata

CVE ID: CVE-2024-23440

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

CWE: CWE-125

Published: February 13, 2024

Last Updated: May 19, 2025

🔗 References

https://fluidattacks.com/advisories/adderley/ Third Party Advisory
https://www.anti-virus.by/vba32 Product
https://fluidattacks.com/advisories/adderley/ Third Party Advisory
https://www.anti-virus.by/vba32 Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-23440, you might also want to check these: