CVE-2023-43896 Advisory
Overview
This article was originally published in October 2023 when the CVE was resolved; however, due to recent changes in Windows driver security, we have received reports of users experiencing issues with the psmounterex.sys driver, which is used to mount images as a virtual drive. Whilst we continue to investigate, we do not currently believe that the psmounterex.sys driver relates to the VSS timeout error introduced in Windows update KB5083769.
psmounterex.sys is a kernel-mode driver that enables Macrium backups to be mounted and accessed by File Explorer as a 'virtual drive'.
CVE-2023-43896: https://nvd.nist.gov/vuln/detail/CVE-2023-43896
This issue regards being able to craft input such that a non-elevated process could gain access to kernel space memory outside that used by the mounting operation. This would enable a carefully crafted non-elevated process to trigger a system crash. Theoretically, this class of flaw could be used as a privilege escalation attack stepping stone by a sophisticated actor.
This issue was fixed in the following versions of Macrium Reflect and Site Manager:
| Edition | Build | Date | Release Notes |
| Macrium Reflect Home, Workstation, Server, Server Plus | v8.1.7675 | 9th October 2023 | https://updates.macrium.com/reflect/v8/v8.1.7675/details8.1.7675.htm |
| Macrium Reflect Free Edition | v8.0.7690 | 11th October 2023 | https://updates.macrium.com/reflect/v8/v8.0.7690/details8.0.7690.htm |
| Macrium Site Manager | v8.1.7695 | 16th October 2023 | https://updates.macrium.com/reflect/v8/v8.1.7695/detailsMD8.1.7695.md |
We encourage all users of Macrium Reflect or Macrium Site Manager to update at the earliest opportunity.
Acknowledgments
We thank Northwave Cybersecurity for bringing this to our attention:
https://northwave-cybersecurity.com/hs-search-results?term=macrium&type=SITE_PAGE&type=BLOG_POST&type=LISTING_PAGE