{"id":33421,"date":"2024-03-03T00:29:55","date_gmt":"2024-03-02T23:29:55","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=33421"},"modified":"2024-03-03T00:29:55","modified_gmt":"2024-03-02T23:29:55","slug":"microsoft-closes-exploited-windows-0-day-vulnerability-cve-2024-21338-six-months-after-notification","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2024\/03\/03\/microsoft-closes-exploited-windows-0-day-vulnerability-cve-2024-21338-six-months-after-notification\/","title":{"rendered":"Microsoft closes exploited Windows 0-day vulnerability CVE-2024-21338 six months after notification"},"content":{"rendered":"

\"Windows\"[German<\/a>]In February 2024, Microsoft closed the vulnerability CVE-2024-21338 in the kernel of Windows 10\/11 and various Windows Server versions. Great! The flaw in the story: The vulnerability was reported by AVAST in August 2023, and the vulnerability was exploited as a 0-day at that time.<\/p>\n

<\/p>\n

February 2024 update closes CVE-2024-21338<\/h2>\n

\"\"A little story about how concerned and professional Microsoft is about the security of its Windows users. The vulnerability CVE-2024-21338<\/a> is a Windows Kernel Elevation of Privilege vulnerability, CVEv3 score 7.8. An attacker could exploit these vulnerabilities as part of post-compromise activities to elevate privileges on SYSTEM.<\/p>\n

To exploit this vulnerability, an attacker would first have to log into the system. An attacker could then run a specially crafted application that exploits the vulnerability and takes control of an affected system, according to Microsoft. I reported on this in the blog post Microsoft Security Update Summary (February 13, 2024)<\/a> and listed the relevant February 2024 updates in the articles linked at the end of the post.<\/p>\n

On February 28, 2024, Microsoft then updated the article on the CVE-2024-21338<\/a> vulnerability again and stated that the vulnerability had been exploited. So far so normal – the explosiveness comes into play when you know the story behind the report.<\/p>\n

Avast hat es im August 2023 gemeldet<\/h2>\n

Security researchers from AVAST have discovered during analyses that the Lazarus hacker group from North Korea has exploited the vulnerability CVE-2024-21338<\/a>, as can be seen from the following tweet<\/a>.<\/p>\n

\"FudModule<\/a><\/p>\n

In the article Lazarus and the FudModule Rootkit: Beyond BYOVD with an Admin-to-Kernel Zero-Day<\/a> from February 28, 2024, the security researchers at AVAST reveal the details. Avast has discovered an admin-to-kernel exploit in the wild for a then-unknown zero-day vulnerability in the appid.sys AppLocker driver.<\/p>\n

The vulnerability was exploited by the Lazarus group to set up a read\/write primitive for the Windows kernel. This primitive allowed Lazarus to directly manipulate kernel objects in an updated version of the FudModul rootkit.<\/p>\n

AVAST documents the many details of the vulnerability and its exploitation by Lazarus in the article linked above. The vulnerability has existed since Windows 10 1703 (RS2\/15063), when the 0x22A018 IOCTL handler was first implemented. Older builds are not affected as they lack support for the vulnerable IOCTL.<\/p>\n

Interestingly, the Lazarus exploit will not activate the vulnerability if it encounters a build older than Windows 10 1809 (RS5\/17763), ignoring three fully vulnerable Windows versions. As for the later versions, the vulnerability extended to the latest builds, including Windows 11 23H2.<\/p>\n

The information that AVAST developed a user-defined PoC (Proof of Concept) exploit and submitted it to Microsoft in August 2023 as part of a vulnerability report makes the whole thing even more explosive. The vulnerability was assigned CVE-2024-21338, but Microsoft didn't patch it until February 13, 2024. So it took them six months to close an already exploited 0-day vulnerability. (via<\/a>)<\/p>\n

Similar articles:<\/strong>
\nMicrosoft Security Update Summary (February 13, 2024)<\/a>
\nPatchday: Windows 10 Updates (February 13, 2024)<\/a>
\nPatchday: Windows 11\/Server 2022 Updates (February 13, 2024)<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

[German]In February 2024, Microsoft closed the vulnerability CVE-2024-21338 in the kernel of Windows 10\/11 and various Windows Server versions. Great! The flaw in the story: The vulnerability was reported by AVAST in August 2023, and the vulnerability was exploited as … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[580,22,2],"tags":[69,195,194],"class_list":["post-33421","post","type-post","status-publish","format-standard","hentry","category-security","category-update","category-windows","tag-security","tag-update","tag-windows"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/33421","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=33421"}],"version-history":[{"count":1,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/33421\/revisions"}],"predecessor-version":[{"id":33422,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/33421\/revisions\/33422"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=33421"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=33421"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=33421"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}