CVE-2024-36054
📋 TL;DR
This vulnerability in Hw64.sys driver allows unprivileged user-mode processes to read arbitrary kernel memory through specific IOCTL calls, potentially leading to privilege escalation. It affects Marvin Test HW.exe versions before 5.0.5.0. Attackers could gain SYSTEM privileges by exploiting this memory read primitive.
💻 Affected Systems
- Marvin Test HW.exe
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining SYSTEM privileges, installing persistent malware, stealing credentials, and accessing all system resources.
Likely Case
Local privilege escalation allowing attackers to bypass security controls, install unauthorized software, or access protected data.
If Mitigated
Limited impact if proper access controls, application whitelisting, and least privilege principles are enforced.
🎯 Exploit Status
Exploitation requires local access but the technique is well-documented for similar kernel memory read vulnerabilities.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.0.5.0
Vendor Advisory: https://www.marvintest.com/KnowledgeBase/KBArticle.aspx?ID=362
Restart Required: Yes
Instructions:
1. Download Marvin Test HW.exe version 5.0.5.0 or later from vendor website. 2. Install the update following vendor instructions. 3. Restart the system to ensure the updated driver loads.
🔧 Temporary Workarounds
Restrict driver loading
windowsPrevent loading of vulnerable Hw64.sys driver using Windows security policies
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions" /v "DenyDeviceIDs" /t REG_DWORD /d 1
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceIDs" /v "1" /t REG_SZ /d "PCI\VEN_XXXX&DEV_XXXX" (replace with actual hardware ID)
Remove vulnerable software
windowsUninstall Marvin Test HW.exe if not required for operations
appwiz.cpl
Select 'Marvin Test HW.exe' and click Uninstall
🧯 If You Can't Patch
- Implement strict access controls to limit who can run Marvin Test HW.exe
- Use application whitelisting to prevent unauthorized execution of exploit tools
🔍 How to Verify
Check if Vulnerable:
Check Marvin Test HW.exe version in Control Panel > Programs and Features, or run the executable and check Help > AboutCheck Version:
wmic product where name="Marvin Test HW.exe" get versionVerify Fix Applied:
Verify version is 5.0.5.0 or higher, and check that Hw64.sys driver version has been updated📡 Detection & Monitoring
Log Indicators:
- Event ID 4697: Service installation attempts
- Driver load events for Hw64.sys
- Process creation events for Marvin Test HW.exe with suspicious parameters
Network Indicators:
- No network indicators - this is a local exploit
SIEM Query:
EventID=4697 OR (ProcessName="Marvin Test HW.exe" AND CommandLine CONTAINS "suspicious") OR (DriverName="Hw64.sys" AND EventID=6)