ADVISORY!
TLP : CLEAR
Date : 08/08/2024
REF NO : CERT /2024/08/70
Microsoft Windows Multiple Vulnerabilities
Severity Level: Medium
Components Affected
- Windows Server 2016 (Server Core installation)
- Windows Server 2016
- Windows 10 Version 1607 for x64-based Systems
- Windows 10 Version 1607 for 32-bit Systems
- Windows 10 for x64-based Systems
- Windows 10 for 32-bit Systems
- Windows 11 Version 24H2 for x64-based Systems
- Windows 11 Version 24H2 for ARM64-based Systems
- Windows Server 2022, 23H2 Edition (Server Core installation)
- Windows 11 Version 23H2 for x64-based Systems
- Windows 11 Version 23H2 for ARM64-based Systems
- Windows 10 Version 22H2 for 32-bit Systems
- Windows 10 Version 22H2 for ARM64-based Systems
- Windows 10 Version 22H2 for x64-based Systems
- Windows 11 Version 22H2 for x64-based Systems
- Windows 11 Version 22H2 for ARM64-based Systems
- Windows 10 Version 21H2 for x64-based Systems
- Windows 10 Version 21H2 for ARM64-based Systems
- Windows 10 Version 21H2 for 32-bit Systems
- Windows 11 version 21H2 for ARM64-based Systems
- Windows 11 version 21H2 for x64-based Systems
- Windows Server 2022 (Server Core installation)
- Windows Server 2022
- Windows Server 2019 (Server Core installation)
- Windows Server 2019
- Windows 10 Version 1809 for ARM64-based Systems
- Windows 10 Version 1809 for x64-based Systems
- Windows 10 Version 1809 for 32-bit Systems
Overview
Multiple vulnerabilities were identified in Microsoft Windows, a attacker could exploit some of these vulnerabilities to trigger elevation of privilege, sensitive information disclosure and data manipulation on the targeted system.
Note:
- No patch or mitigation is currently available for CVE-2024-21302 and CVE-2024-38202 of the affected products.
- For CVE-2024-21302, an attacker with administrator privileges on the target system may replace current Windows system files with outdated versions.
- For CVE-2024-38202, an attacker may trick or convince an Administrator or a user with delegated permissions into performing a system restore which inadvertently triggers elevation of privilege.
Description
Microsoft has identified several elevation of privilege vulnerabilities affecting Windows systems that support Virtualization Based Security (VBS), including specific Azure Virtual Machine SKUs. These vulnerabilities allow attackers with administrator privileges to replace current system files with outdated versions, potentially reintroducing previously mitigated vulnerabilities, circumventing VBS security features, and exfiltrating protected data. While Microsoft is developing security updates to address these threats, they have not yet been released. However, an opt-in revocation policy was included in the August 2024 security updates to help mitigate these risks. Administrators are advised to review KB5042562 to understand the risks and determine if the mitigation suits their environment. Additionally, a related vulnerability in Windows Update could allow an attacker with basic user privileges to achieve similar outcomes by tricking an administrator into performing a system restore. This issue is also pending a security update, and Microsoft has recommended actions to reduce risk in the interim. No known exploits have been reported, but a recent BlackHat presentation on this topic may change the threat landscape.
Impact
- Elevation of Privilege
- Information Disclosure
- Data Manipulation
Solution/ Workarounds
Before installation of the software, please visit the vendor web-site for more details.
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21302
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38202
Workaround Steps :
- Audit users with permission to perform Backup and Restore operations to ensure only the appropriate users can perform these operations.
Audit: Audit the use of Backup and Restore privilege (Windows 10) – Windows 10 | Microsoft Learn - Implement an Access Control List or Discretionary Access Control Lists to restrict the access or modification of Backup files and perform Restore operations to appropriate users, for example administrators only .
Access Control overview | Microsoft Learn
Discretionary Access Control Lists (DACL) - Auditing sensitive privileges used to identify access, modification, or replacement of Backup related files could help indicate attempts to exploit this vulnerability.
Audit Sensitive Privilege Use – Windows 10 | Microsoft Learn
Reference
Disclaimer : The information provided herein is on an “as is” basis, without warranty of any kind.
Sri Lanka Computer Emergency Readiness Team | Coordination Centre
- Hotline : 101
- +94 11 269 1692
- Room 4-112, BMICH, Bauddhaloka Mawatha, Colombo 07, Sri Lanka.
- General inquiry: cert@cert.gov.lk
- Security incidents: incidents@cert.gov.lk
- Social media incidents: report@cert.gov.lk
