A set of vulnerabilities has been identified in Microsoft Windows. The vulnerabilities combined could allow for the local escalation of privileges, downgrading of critical Operating System components, and bypassing security features. The vulnerabilities (CVE-2024-38202 and CVE-2024-21302) have High CVSSv3.1 scores of 7.3 and 6.7 out of 10, respectively, though some sources strongly support they should be marked Critical instead.
Description:
CVE-2024-38202 involves a Windows Backup privilege escalation flaw that allows attackers with basic user privileges to unpatch previously mitigated security bugs or bypass Virtualization Based Security (VBS) features, while CVE-2024-21302 relates to the Windows Secure Kernel Mode Elevation of Privilege, enabling attackers with admin privileges to replace Windows system files with outdated and vulnerable versions.
The two vulnerabilities were discovered and disclosed to Microsoft as two parts of a method to effectively allow an unprivileged user account with basic access to the target system to escalate local privileges when interacting with the Windows Update and Virtualization Based Security (VBS) components. This allows them to undermine the system’s integrity by downgrading system components such as Dynamic Link Libraries (DLLs), the NT Kernel, and various security features. When executed properly the system ignores the outdated components and mistakenly reports as fully patched, making the attack particularly difficult to detect at that point.
While no concrete evidence of exploitation has been spotted in the wild, two details lead to increased risk: 1) the recent public release of a proof-of-concept tool taking advantage of the weaknesses, called Windows Downdate, and 2) the fact that CVE-2024-38202 still has not been fully mitigated by Microsoft. These could mean that potential attackers now have the technical means, knowledge, and opportunity to start taking advantage of the vulnerability.
Affected Versions:
The vulnerabilities affect Windows 10 version 1809 and later, Windows 11, and Windows Server 2019 and later operating systems.
Recommendations:
- Administrators should ensure Windows systems are fully patched up to the August 2024 security updates, which include an opt-in mitigation to address one half of this issue, CVE-2024-21302. This is revocation policy SkuSiPolicy.p7b, which requires guidance from Microsoft to properly deploy, available at https://support.microsoft.com/en-us/topic/kb5042562-guidance-for-blocking-rollback-of-virtualization-based-security-vbs-related-security-updates-b2e7ebf4-f64d-4884-a390-38d63171b8d3
- Customers are advised to closely monitor critical systems for any signs of suspicious activity regarding the Windows Update component made in the last week. Obrela is closely monitoring the situation and can provide guidance on detection.
- More specific recommended actions and mitigation methods can be found in the Microsoft Security Response Center, in the first two reference links below.
References:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38202
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21302
https://msrc.microsoft.com/update-guide/advisory/ADV24216903
https://www.safebreach.com/blog/downgrade-attacks-using-windows-updates
https://github.com/SafeBreach-Labs/WindowsDowndate
https://www.n-able.com/blog/microsoft-patch-tuesday-august-2024
