Microsoft recently issued multiple patches for various vulnerabilities on Patch Tuesday for August 2024. Among the vulnerabilities highlighted by Microsoft was CVE-2024-38106, a Windows Kernel Privilege Escalation flaw affecting several versions of Microsoft Windows OSes, including Windows 10, 11, and Windows Server (2016, 2019, 2022). What’s alarming is that Microsoft reported that threat actors were actively exploiting this vulnerability.
The severity of this vulnerability was classified as 7.0 (High), indicating the potential risk associated with it. Reports shared with Cyber Security News revealed that CVE-2024-38106 was linked to a race condition. If successfully exploited, threat actors could gain SYSTEM level privileges on the compromised system.
One of the key points mentioned by Microsoft was that exploiting this vulnerability did not require any user interaction, making it more concerning for organizations using the affected Windows OS versions. Despite its complexity, threat actors were able to exploit this vulnerability, highlighting the critical need for organizations to apply the necessary patches promptly.
Researchers at Pixiepoint conducted an in-depth investigation of the patch released for CVE-2024-38106. The analysis revealed that the fix was implemented on ntoskrnl.exe, which was also responsible for addressing several other bugs identified by Microsoft. The security changes made to the functions VslGetSetSecureContext() and NtSetInformationWorkerFactory() aimed at mitigating the race condition associated with the vulnerability.
VslGetSetSecureContext() was fixed to address the race condition by ensuring the proper locking of the VslpEnterIumSecureMode() operation related to the VBS secure kernel. Similarly, NtSetInformationWorkerFactory() received a similar fix by introducing a flag inside NtShutdownWorkerFactory() –> ExpShutdownWorkerFactory(). The proof of concept code provided a deeper understanding of how threat actors could exploit the vulnerability by triggering specific actions to reach a vulnerable state within the system.
It is imperative for organizations to apply the patches released by Microsoft for vulnerable products to prevent potential exploitation by threat actors. By ensuring that systems are up to date with the latest security updates, organizations can mitigate the risks associated with CVE-2024-38106 and other vulnerabilities identified in the Patch Tuesday release.
Cybersecurity professionals emphasize the importance of proactive measures to safeguard systems and networks against emerging threats. The evolving landscape of cyber threats requires a constant vigilance and timely response to security vulnerabilities to prevent data breaches and unauthorized access to critical systems. Stay informed and stay protected.