Advisory August 22, 2024

Microsoft Windows High-Risk Vulnerabilities

The Obrela Threat Intelligence Team

A set of vulnerabilities has been identified in Microsoft Windows. The vulnerabilities combined could allow for the local escalation of privileges, downgrading of critical Operating System components, and bypassing security features. The vulnerabilities (CVE-2024-38202 and CVE-2024-21302) have High CVSSv3.1 scores of 7.3 and 6.7 out of 10, respectively, though some sources strongly support they should be marked Critical instead.

 

Description:

CVE-2024-38202 involves a Windows Backup privilege escalation flaw that allows attackers with basic user privileges to unpatch previously mitigated security bugs or bypass Virtualization Based Security (VBS) features, while CVE-2024-21302 relates to the Windows Secure Kernel Mode Elevation of Privilege, enabling attackers with admin privileges to replace Windows system files with outdated and vulnerable versions.

The two vulnerabilities were discovered and disclosed to Microsoft as two parts of a method to effectively allow an unprivileged user account with basic access to the target system to escalate local privileges when interacting with the Windows Update and Virtualization Based Security (VBS) components. This allows them to undermine the system’s integrity by downgrading system components such as Dynamic Link Libraries (DLLs), the NT Kernel, and various security features. When executed properly the system ignores the outdated components and mistakenly reports as fully patched, making the attack particularly difficult to detect at that point.

While no concrete evidence of exploitation has been spotted in the wild, two details lead to increased risk: 1) the recent public release of a proof-of-concept tool taking advantage of the weaknesses, called Windows Downdate, and 2) the fact that CVE-2024-38202 still has not been fully mitigated by Microsoft. These could mean that potential attackers now have the technical means, knowledge, and opportunity to start taking advantage of the vulnerability.

 

Affected Versions:

The vulnerabilities affect Windows 10 version 1809 and later, Windows 11, and Windows Server 2019 and later operating systems.

 

Recommendations:

 

References:

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38202

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21302

https://support.microsoft.com/en-us/topic/kb5042562-guidance-for-blocking-rollback-of-virtualization-based-security-vbs-related-security-updates-b2e7ebf4-f64d-4884-a390-38d63171b8d3#bkmk_available_mitigations

https://msrc.microsoft.com/update-guide/advisory/ADV24216903

https://www.safebreach.com/blog/downgrade-attacks-using-windows-updates

https://github.com/SafeBreach-Labs/WindowsDowndate

https://www.n-able.com/blog/microsoft-patch-tuesday-august-2024

https://securityonline.info/poc-exploit-for-windows-0-day-flaws-cve-2024-38202-and-cve-2024-21302-released/