CVE-2024-46465
📋 TL;DR
CRYHOD for Windows up to version 2024.3 has insecure default folder permissions that allow other users on the same system to access technical files. This can enable privilege escalation by misusing these files to perform tasks with higher privileges. Only Windows systems running vulnerable CRYHOD versions are affected.
💻 Affected Systems
- CRYHOD for Windows
📦 What is this software?
Cryhod by Primx
⚠️ Risk & Real-World Impact
Worst Case
Local attackers can achieve full system compromise by leveraging the accessible files to execute arbitrary code with elevated privileges.
Likely Case
Malicious local users or compromised accounts can escalate privileges to gain administrative access on the system.
If Mitigated
With proper folder permissions configured, the vulnerability cannot be exploited and normal operations continue.
🎯 Exploit Status
Exploitation requires local access to the system but is straightforward once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2024.4 or later
Vendor Advisory: https://www.primx.eu/en/bulletins/security-bulletin-24932296/
Restart Required: Yes
Instructions:
1. Download CRYHOD version 2024.4 or later from the vendor. 2. Install the update following vendor instructions. 3. Restart the system to ensure changes take effect.
🔧 Temporary Workarounds
Secure Folder Permissions
windowsManually adjust folder permissions to restrict access to CRYHOD dedicated folders to authorized users only.
icacls "C:\Program Files\CRYHOD\dedicated_folders" /inheritance:r /grant:r "SYSTEM:(OI)(CI)F" "Administrators:(OI)(CI)F" "<authorized_user>:(OI)(CI)RX"
🧯 If You Can't Patch
- Apply the folder permissions workaround immediately to restrict access.
- Implement strict access controls and monitor for unauthorized access attempts to CRYHOD folders.
🔍 How to Verify
Check if Vulnerable:
Check CRYHOD version in program settings or via 'wmic product where name="CRYHOD" get version' command. If version is 2024.3 or earlier, the system is vulnerable.Check Version:
wmic product where name="CRYHOD" get versionVerify Fix Applied:
Verify CRYHOD version is 2024.4 or later and check folder permissions on CRYHOD dedicated folders to ensure only authorized users have access.📡 Detection & Monitoring
Log Indicators:
- Windows Security logs showing unauthorized access attempts to CRYHOD folders
- File access audit logs for CRYHOD technical files
Network Indicators:
- Not applicable - this is a local privilege escalation vulnerability
SIEM Query:
EventID=4663 AND ObjectName LIKE "%CRYHOD%" AND Accesses="ReadData" AND SubjectUserName NOT IN ("SYSTEM", "Administrator", "<authorized_users>")