CVE-2024-29513

Vulnerability

Overview CVE-2024-29513 is a vulnerability in the briscKernelDriver.sys driver used by BlueRiSC WindowsSCOPE Cyber Forensics prior to version 3.3. The root cause is an improperly configured Discretionary Access Control List (DACL) on the device object \\.\BriscKernel, which grants overly permissive access to unprivileged users [1].

Exploitation

A local attacker with low privileges can open a handle to the device and send crafted IOCTL requests. This can trigger arbitrary memory operations within the driver context, leading to arbitrary code execution at kernel level. Additionally, passing incorrect data can cause a kernel bugcheck (BSOD), resulting in denial-of-service [1].

Impact

Successful exploitation allows an attacker to execute arbitrary code in kernel mode, compromising the entire system. They can also trigger a denial-of-service condition, causing system instability or crash. The vulnerability requires local access but no special privileges [1].

Mitigation

BlueRiSC released version 3.3 of WindowsSCOPE Cyber Forensics, which silently addressed this issue by correcting the DACL on the device object. Users are advised to update to version 3.3 or later. No known workarounds exist [1].