CVE-2024-9491
📋 TL;DR
This DLL hijacking vulnerability in Configuration Wizard 2 installer allows attackers to escalate privileges and execute arbitrary code by placing malicious DLLs in directories searched by the installer. It affects users running the vulnerable installer on Windows systems. The vulnerability stems from an uncontrolled search path (CWE-427).
💻 Affected Systems
- Silicon Labs Configuration Wizard 2
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with SYSTEM/administrator privileges, enabling complete control over the affected system, data theft, and lateral movement.
Likely Case
Local privilege escalation allowing attackers to gain elevated permissions and install malware or backdoors on the system.
If Mitigated
Limited impact if proper application whitelisting and DLL search path restrictions are enforced, preventing unauthorized DLL loading.
🎯 Exploit Status
Requires local access and ability to place malicious DLL in a directory with higher search priority than the legitimate DLL location. Social engineering may be needed to get user to run installer.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Updated Configuration Wizard 2 installer (specific version not specified in reference)
Vendor Advisory: https://community.silabs.com/068Vm00000JUQwd
Restart Required: No
Instructions:
1. Download the updated Configuration Wizard 2 installer from Silicon Labs. 2. Uninstall any existing vulnerable version. 3. Install the updated version. 4. Verify the fix by checking installer behavior.
🔧 Temporary Workarounds
Restrict DLL search path
WindowsUse Windows policies or application controls to restrict where DLLs can be loaded from, preventing loading from untrusted directories.
Use Group Policy: Computer Configuration > Windows Settings > Security Settings > Application Control Policies > AppLocker to create DLL rules
Run installer from secure location
allAlways run the installer from a trusted, write-protected directory to prevent DLL planting attacks.
🧯 If You Can't Patch
- Implement strict application whitelisting to prevent unauthorized installer execution
- Use least privilege accounts and avoid running installers with administrative privileges when possible
🔍 How to Verify
Check if Vulnerable:
Check if Configuration Wizard 2 installer version is older than the patched release. Monitor for DLL loading from unexpected directories during installer execution.Check Version:
Check installer properties or installation directory for version information. For installed software, check Control Panel > Programs and Features.Verify Fix Applied:
Test the updated installer to confirm it no longer searches untrusted directories for DLLs. Use Process Monitor to verify DLL loading behavior.📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs showing DLL loading from unexpected directories (Event ID 7 in Sysmon)
- Application logs showing installer execution from unusual locations
Network Indicators:
- Typically no network indicators as this is a local attack
SIEM Query:
EventID=7 AND (Image LIKE '%Configuration Wizard%' OR ProcessName LIKE '%ConfigWizard%') AND (TargetObject LIKE '%.dll' AND NOT TargetObject LIKE '%System32%' AND NOT TargetObject LIKE '%Program Files%')