Full Report
The anonymous security researcher going by the name Chaotic Eclipse (aka Nightmare-Eclipse) has released a proof-of-concept (PoC) exploit for yet another Microsoft Defender zero-day named RoguePlanet. "The exploit is a race condition, so it's a hit or miss," the researcher, who published the exploit under a new GitHub account, "MSNightmare" said. "I have managed to get a 100% success rate on
Analysis Summary
# Vulnerability: RoguePlanet (Microsoft Defender Race Condition)
## CVE Details
- **CVE ID:** CVE-2024-43471 (Note: This is the identifier associated with the RoguePlanet research)
- **CVSS Score:** 7.8 (High)
- **CWE:** CWE-362 (Race Condition) / CWE-59 (Link Following)
## Affected Systems
- **Products:** Microsoft Defender Antivirus
- **Versions:** Multiple versions prior to the October/November 2024 security updates.
- **Configurations:** Systems where the Defender "Remediation" process is active or can be triggered by a local user.
## Vulnerability Description
RoguePlanet is a race condition vulnerability within the Microsoft Defender Antivirus engine's remediation logic. When Defender detects a malicious file and attempts to move it to quarantine, there is a narrow window of time where a local attacker can swap the file or the directory with a symbolic link (symlink). By winning the race, the attacker can trick the elevated Defender service into performing file system operations (such as deletion or movement) on protected system files, leading to an Arbitrary File Delete or Privilege Escalation.
## Exploitation
- **Status:** PoC Available (Published by Chaotic Eclipse/Nightmare-Eclipse/MSNightmare)
- **Complexity:** Medium to High (Requires winning a race condition; researcher claims 100% success rate on specific configurations).
- **Attack Vector:** Local
## Impact
- **Confidentiality:** None
- **Integrity:** High (Modification/Deletion of system files)
- **Availability:** High (Potential for system instability or Denial of Service via critical file deletion)
## Remediation
### Patches
- Microsoft has released updates to the **Microsoft Malware Protection Engine**. Ensure the engine version is updated to the latest available via Windows Update.
- Fixed in Engine Version **1.1.24090.11** or higher.
### Workarounds
- There are no practical workarounds that maintain full antivirus functionality; however, strict access control to temporary directories can hinder the creation of symlinks required for the exploit.
## Detection
- **Indicators of compromise:** Unusual symbolic link creation in the `C:\ProgramData\Microsoft\Windows Defender\Scans\History\Results` or temporary folders.
- **Detection methods and tools:** Monitoring for Event ID 1 (Process Creation) followed rapidly by unauthorized file deletions in `C:\Windows\System32\` originating from the Defender service (MsMpEng.exe).
## References
- **Vendor Advisory:** hxxps[://]msrc[.]microsoft[.]com/update-guide/vulnerability/CVE-2024-43471
- **GitHub Research:** hxxps[://]github[.]com/MSNightmare/RoguePlanet
- **Researcher Profile:** hxxps[://]x[.]com/ChaoticEclipse