CVE-2024-8159 – Deep Freeze 9.00.020.5760 contains an out-of-bo... (How to Fix)

Q: What is the severity of CVE-2024-8159?

CVE-2024-8159 has a CVSS score of 6.4 (MEDIUM). Deep Freeze 9.00.020.5760 contains an out-of-bounds read vulnerability in the FarDisk.sys driver when processing the 0x70014 IOCTL code. This allows attackers to read kernel memory, potentially exposing sensitive information or causing system instability. Organizations using this specific version of Deep Freeze are affected.

📋 TL;DR

Deep Freeze 9.00.020.5760 contains an out-of-bounds read vulnerability in the FarDisk.sys driver when processing the 0x70014 IOCTL code. This allows attackers to read kernel memory, potentially exposing sensitive information or causing system instability. Organizations using this specific version of Deep Freeze are affected.

💻 Affected Systems

Products:

Deep Freeze

Versions: 9.00.020.5760

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Requires local access or ability to execute code on the system to trigger the IOCTL.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Kernel memory disclosure leading to privilege escalation, system crash (BSOD), or information leakage that could facilitate further attacks.

🟠

Likely Case

Information disclosure from kernel memory, potentially exposing sensitive data or system information that could aid attackers.

🟢

If Mitigated

Limited impact if proper access controls prevent unauthorized users from executing code or if the system is isolated.

🌐 Internet-Facing: LOW

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires local access and ability to send IOCTL to the driver, typically needing some level of user privileges.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.faronics.com/products/deep-freeze

Restart Required: Yes

Instructions:

1. Check Faronics website for security updates. 2. Download and install any available patches. 3. Restart the system to apply changes.

🔧 Temporary Workarounds

Restrict driver access

windows

Use Windows security policies to restrict access to the FarDisk.sys driver to prevent unauthorized IOCTL calls.

🧯 If You Can't Patch

Isolate affected systems from untrusted networks and users.
Implement strict access controls to limit who can execute code on vulnerable systems.

🔍 How to Verify

Check if Vulnerable:

Check Deep Freeze version in Control Panel > Programs and Features or via the Deep Freeze interface.

Check Version:

Not applicable; check through GUI or vendor tools.

Verify Fix Applied:

Verify the installed version is newer than 9.00.020.5760 after applying any updates.

📡 Detection & Monitoring

Log Indicators:

Windows Event Logs showing driver errors or crashes related to FarDisk.sys
Unexpected IOCTL calls to FarDisk.sys with code 0x70014

Network Indicators:

None; this is a local vulnerability

SIEM Query:

EventID=7031 OR EventID=1000 AND SourceName='System' AND Message LIKE '%FarDisk.sys%'

📊 Metadata

CVE ID: CVE-2024-8159

CVSS v3 Score: 6.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:L

CWE: CWE-125

Published: October 3, 2024

Last Updated: October 4, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-8159, you might also want to check these: