CVE-2024-51141
📋 TL;DR
This vulnerability allows a local attacker to execute arbitrary code on systems with the TOTOLINK A600UB Bluetooth Wireless Adapter driver installer. The issue involves DLL hijacking in WifiAutoInstallDriver.exe and MSASN1.dll components, enabling privilege escalation or system compromise. Users who have installed this specific driver are affected.
💻 Affected Systems
- TOTOLINK Bluetooth Wireless Adapter A600UB
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with administrative privileges, allowing installation of persistent malware, data theft, or ransomware deployment.
Likely Case
Local privilege escalation leading to unauthorized system access, credential harvesting, or lateral movement within the network.
If Mitigated
Limited impact if proper application whitelisting, DLL search path hardening, and least privilege principles are enforced.
🎯 Exploit Status
Exploitation requires local access to place malicious DLL in writable directory with higher search order priority than legitimate DLL location.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not available
Vendor Advisory: Not available
Restart Required: No
Instructions:
No official patch available. Consider removing the vulnerable driver and using alternative Bluetooth adapters.
🔧 Temporary Workarounds
Remove vulnerable driver
windowsUninstall the TOTOLINK A600UB driver and use Windows built-in Bluetooth drivers or alternative hardware
Control Panel > Programs and Features > Uninstall TOTOLINK A600UB Driver
Restrict DLL search paths
windowsUse Group Policy or registry settings to harden DLL search order and prevent hijacking
Set registry key: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SafeDllSearchMode to 1
🧯 If You Can't Patch
- Implement application whitelisting to prevent execution of unauthorized binaries
- Apply least privilege principles - ensure users don't have write access to system directories
🔍 How to Verify
Check if Vulnerable:
Check if TOTOLINK A600UB driver is installed via Control Panel > Programs and FeaturesCheck Version:
wmic product get name,version | findstr /i totolinkVerify Fix Applied:
Verify driver is uninstalled and no TOTOLINK software remains in Program Files or system directories📡 Detection & Monitoring
Log Indicators:
- Process creation events for WifiAutoInstallDriver.exe from unusual locations
- DLL loading events for MSASN1.dll from non-system directories
Network Indicators:
- Unusual outbound connections following driver installation or update
SIEM Query:
ProcessName="WifiAutoInstallDriver.exe" AND (ImagePath NOT CONTAINS "Program Files\TOTOLINK" OR ImagePath CONTAINS "Temp" OR ImagePath CONTAINS "Downloads")