A proof-of-concept (PoC) exploit has been publicly released for a critical zero-day elevation of privilege vulnerability in the Windows kernel. The flaw, tracked as CVE-2024-38106, was one of several zero-days patched by Microsoft in their August 2024 Patch Tuesday update.
CVE-2024-38106 is a race condition vulnerability in the Windows kernel that could allow a local attacker to gain SYSTEM privileges. The issue has a CVSS score of 7.0, and Microsoft’s exploitability assessment labels it as “exploitation more likely.”
The vulnerability was reported to Microsoft by an anonymous researcher and details were kept under wraps until a PoC exploit was publicly released on GitHub over the weekend.
The PoC demonstrates how the race condition can be triggered to corrupt kernel memory and achieve arbitrary code execution with elevated privileges.
Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial
Patch Analysis
An analysis of Microsoft’s patch for CVE-2024-38106 by PixiePoint Security researchers sheds light on the root cause.
The vulnerability existed due to improper locking around calls to VslpEnterIumSecureMode() in the VslGetSetSecureContext() function. This could allow an attacker to free the worker factory object and associated timer while they were still in use, leading to a use-after-free condition.
Microsoft’s fix implements proper locking using VslpLockPagesForTransfer() and VslpUnlockPagesForTransfer() to prevent the race condition.
However, the public availability of a working PoC exploit makes it critical for organizations to apply security updates as soon as possible.
Mitigation
The only complete mitigation is to install the security updates containing the fix for CVE-2024-38106. Microsoft addressed the vulnerability in the August 2024 Patch Tuesday update and urges all customers to apply the patches immediately.
Windows 11 and Windows Server 2022 are affected, as well as some older versions of Windows that are still supported. There are no reports of active exploitation in the wild yet, but the public PoC significantly increases the chances of that changin.
Organizations should prioritize patching CVE-2024-38106 along with the other critical and actively exploited vulnerabilities fixed this month, including a zero-click RCE in the Windows TCP/IP stack (CVE-2024-38063) and several other escalation of privilege and remote code execution flaws.
What Does MITRE ATT&CK Expose About Your Enterprise Security? - Watch Free Webinar!