CVE-2024-43560
📋 TL;DR
This vulnerability in the Microsoft Windows Storage Port Driver allows an authenticated attacker to execute arbitrary code with SYSTEM privileges. It affects Windows systems where an attacker has local access and can run specially crafted applications. This is an elevation of privilege vulnerability that enables attackers to gain full control of affected systems.
💻 Affected Systems
- Microsoft Windows
📦 What is this software?
Windows 10 1507 by Microsoft
Windows 10 1507 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 21h2 by Microsoft
Windows 10 22h2 by Microsoft
Windows 11 21h2 by Microsoft
Windows 11 22h2 by Microsoft
Windows 11 23h2 by Microsoft
Windows 11 24h2 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with SYSTEM privileges, enabling installation of persistent malware, credential theft, lateral movement, and data exfiltration.
Likely Case
Local privilege escalation allowing attackers to bypass security controls, install additional malware, or access restricted system resources.
If Mitigated
Limited impact if proper endpoint protection, least privilege principles, and network segmentation are implemented.
🎯 Exploit Status
Requires local access and authentication. Exploitation involves crafting specific driver requests to trigger the vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply the latest Windows security updates from Microsoft's May 2024 Patch Tuesday or later
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43560
Restart Required: Yes
Instructions:
1. Open Windows Update settings. 2. Click 'Check for updates'. 3. Install all available security updates. 4. Restart the system when prompted.
🔧 Temporary Workarounds
Restrict local administrator privileges
windowsImplement least privilege access controls to limit who can execute code locally
Enable Windows Defender Application Control
windowsRestrict execution of untrusted applications and drivers
🧯 If You Can't Patch
- Implement strict endpoint detection and response (EDR) solutions to detect privilege escalation attempts
- Segment networks to limit lateral movement and contain potential breaches
🔍 How to Verify
Check if Vulnerable:
Check Windows Update history for May 2024 security updates or run 'systeminfo' command and verify OS build number is patchedCheck Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify KB5037771 (or later) is installed via 'wmic qfe list' or Windows Update history📡 Detection & Monitoring
Log Indicators:
- Event ID 4688 with privileged process creation
- Driver loading events from non-standard locations
- Unexpected SYSTEM privilege processes
Network Indicators:
- Unusual outbound connections from SYSTEM processes
- Lateral movement attempts from previously compromised systems
SIEM Query:
EventID=4688 AND NewProcessName="*" AND SubjectUserName!="SYSTEM" AND TokenElevationType="%%1936"