Background:
psmounterex.sys is a kernel mode driver that enables Macrium backups to be mounted and accessed by file explorer as a 'virtual drive'.
CVE-2023-43896: https://nvd.nist.gov/vuln/detail/CVE-2023-43896
This issue regards being able to craft input such that a non-elevated process could gain access to kernel space memory outside that used by the mounting operation. This would enable a carefully crafted non-elevated process to trigger a system crash. Theoretically this class of flaw could be used as a privilege escalation attack stepping stone by a sophisticated actor.
This issue has been fixed in :
| Edition | Build | Date | Release Notes |
|---|---|---|---|
| Macrium Reflect Home, Workstation, Server, Server Plus | v8.1.7675 | 9th October 2023____________________ | https://updates.macrium.com/reflect/v8/v8.1.7675/details8.1.7675.htm |
| Macrium Reflect Free Edition | v8.0.7690 | 11th October 2023 | https://updates.macrium.com/reflect/v8/v8.0.7690/details8.0.7690.htm |
| Macrium Site Manager | v8.1.7695 | 16th October 2023 | Release Notes |
We encourage all users of Macrium Reflect or Macrium Site Manager to update at the earliest opportunity.
Acknowledgments
We thank Northwave Cybersecurity for bringing this to our attention:
https://northwave-cybersecurity.com/hs-search-results?term=macrium&type=SITE_PAGE&type=BLOG_POST&type=LISTING_PAGE