CVE-2024-3745
📋 TL;DR
MSI Afterburner v4.6.6.16381 Beta 3 contains an ACL bypass vulnerability in its RTCore64.sys driver that allows low-privileged users to trigger additional vulnerabilities (CVE-2024-1443 and CVE-2024-1460). This affects users running the vulnerable beta version of MSI Afterburner on Windows systems.
💻 Affected Systems
- MSI Afterburner
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise via privilege escalation leading to arbitrary code execution with SYSTEM privileges.
Likely Case
Local privilege escalation allowing attackers to gain elevated privileges on the affected system.
If Mitigated
Limited impact if proper access controls and monitoring are in place to detect driver manipulation attempts.
🎯 Exploit Status
Exploitation requires low-privileged user access but is relatively straightforward once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Update to latest stable version (not v4.6.6.16381 Beta 3)
Vendor Advisory: https://forums.guru3d.com/threads/msi-ab-rtss-development-news-thread.412822/
Restart Required: Yes
Instructions:
1. Uninstall MSI Afterburner v4.6.6.16381 Beta 3
2. Download and install the latest stable version from official MSI website
3. Restart the system
🔧 Temporary Workarounds
Remove vulnerable driver
windowsUninstall or disable the vulnerable RTCore64.sys driver
sc stop RTCore64
sc delete RTCore64
Remove RTCore64.sys from system32\drivers
Restrict driver loading
windowsConfigure Windows to only allow signed drivers
bcdedit /set testsigning off
bcdedit /set nointegritychecks off
🧯 If You Can't Patch
- Restrict user access to systems with vulnerable MSI Afterburner installation
- Monitor for suspicious driver loading events and privilege escalation attempts
🔍 How to Verify
Check if Vulnerable:
Check MSI Afterburner version in About dialog or verify RTCore64.sys driver version 4.6.6.16381 is presentCheck Version:
wmic product where name="MSI Afterburner" get versionVerify Fix Applied:
Confirm MSI Afterburner version is updated to non-beta release and RTCore64.sys driver is updated or removed📡 Detection & Monitoring
Log Indicators:
- Event ID 7045: Service installation for RTCore64
- Driver load events for RTCore64.sys
- Privilege escalation attempts
Network Indicators:
- No network indicators - local privilege escalation only
SIEM Query:
EventID=7045 AND ServiceName="RTCore64" OR DriverName="RTCore64.sys"🔗 References
- https://fluidattacks.com/advisories/gershwin/
- https://forums.guru3d.com/threads/msi-ab-rtss-development-news-thread.412822/page-227#post-6231456
- https://forums.guru3d.com/threads/msi-ab-rtss-development-news-thread.412822/page-227#post-6231768
- https://fluidattacks.com/advisories/gershwin/
- https://forums.guru3d.com/threads/msi-ab-rtss-development-news-thread.412822/page-227#post-6231456
- https://forums.guru3d.com/threads/msi-ab-rtss-development-news-thread.412822/page-227#post-6231768
