Microsoft closes exploited Windows 0-day vulnerability CVE-2024-21338 six months after notification

Windows[German]In February 2024, Microsoft closed the vulnerability CVE-2024-21338 in the kernel of Windows 10/11 and various Windows Server versions. Great! The flaw in the story: The vulnerability was reported by AVAST in August 2023, and the vulnerability was exploited as a 0-day at that time.


Advertising

February 2024 update closes CVE-2024-21338

A little story about how concerned and professional Microsoft is about the security of its Windows users. The vulnerability CVE-2024-21338 is a Windows Kernel Elevation of Privilege vulnerability, CVEv3 score 7.8. An attacker could exploit these vulnerabilities as part of post-compromise activities to elevate privileges on SYSTEM.

To exploit this vulnerability, an attacker would first have to log into the system. An attacker could then run a specially crafted application that exploits the vulnerability and takes control of an affected system, according to Microsoft. I reported on this in the blog post Microsoft Security Update Summary (February 13, 2024) and listed the relevant February 2024 updates in the articles linked at the end of the post.

On February 28, 2024, Microsoft then updated the article on the CVE-2024-21338 vulnerability again and stated that the vulnerability had been exploited. So far so normal – the explosiveness comes into play when you know the story behind the report.

Avast hat es im August 2023 gemeldet

Security researchers from AVAST have discovered during analyses that the Lazarus hacker group from North Korea has exploited the vulnerability CVE-2024-21338, as can be seen from the following tweet.

FudModule Rootkit attacks Windows


Advertising

In the article Lazarus and the FudModule Rootkit: Beyond BYOVD with an Admin-to-Kernel Zero-Day from February 28, 2024, the security researchers at AVAST reveal the details. Avast has discovered an admin-to-kernel exploit in the wild for a then-unknown zero-day vulnerability in the appid.sys AppLocker driver.

The vulnerability was exploited by the Lazarus group to set up a read/write primitive for the Windows kernel. This primitive allowed Lazarus to directly manipulate kernel objects in an updated version of the FudModul rootkit.

AVAST documents the many details of the vulnerability and its exploitation by Lazarus in the article linked above. The vulnerability has existed since Windows 10 1703 (RS2/15063), when the 0x22A018 IOCTL handler was first implemented. Older builds are not affected as they lack support for the vulnerable IOCTL.

Interestingly, the Lazarus exploit will not activate the vulnerability if it encounters a build older than Windows 10 1809 (RS5/17763), ignoring three fully vulnerable Windows versions. As for the later versions, the vulnerability extended to the latest builds, including Windows 11 23H2.

The information that AVAST developed a user-defined PoC (Proof of Concept) exploit and submitted it to Microsoft in August 2023 as part of a vulnerability report makes the whole thing even more explosive. The vulnerability was assigned CVE-2024-21338, but Microsoft didn't patch it until February 13, 2024. So it took them six months to close an already exploited 0-day vulnerability. (via)

Similar articles:
Microsoft Security Update Summary (February 13, 2024)
Patchday: Windows 10 Updates (February 13, 2024)
Patchday: Windows 11/Server 2022 Updates (February 13, 2024)


Advertising

This entry was posted in Security, Update, Windows and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).