Understanding the New Windows Secure Kernel Mode Elevation of Privilege Vulnerability (CVE 2024 21302)

On August 7, 2024, Microsoft disclosed a significant security vulnerability affecting Windows-based systems, known as CVE-2024-21302. This zero-day vulnerability allows attackers with administrator privileges to elevate their access by replacing current versions of Windows system files with outdated, vulnerable ones.

Exploitability

There are no known exploits in the wild, and Microsoft is unaware of any active exploitation. However, the public disclosure at Black Hat USA 2024 could change the threat landscape, making it imperative for organizations to take preemptive actions. As of the initial publication, exploitation is considered less likely due to the high privileges required and the complexity of the attack. However, vigilance is necessary, given the potential impact.

Executive Summary

CVE-2024-21302 affects Windows systems that support Virtualization-Based Security (VBS), including specific Azure Virtual Machine SKUs. This vulnerability could enable attackers to reintroduce previously mitigated vulnerabilities, bypass VBS security features, and exfiltrate sensitive data protected by VBS. Microsoft is actively developing a security update to address this issue but has not yet released it. In the interim, organizations must adopt proactive measures to safeguard their systems.

Detailed Analysis

The vulnerability, identified by a security researcher, specifically impacts Windows 10, Windows 11, Windows Server 2016, and higher versions, including Azure VMs with VBS enabled. The exploit allows an attacker with administrative access to replace current Windows system files with outdated versions, thereby undermining the security provided by VBS.

Impact Assessment

The vulnerability has a CVSS score of 6.7, categorized as "Important." Its potential impact includes:

• Confidentiality: High risk of data exfiltration.
• Integrity: There is a high risk of integrity compromise due to reintroducing old vulnerabilities.
• Availability: High risk as critical system files could be tampered with.

Qualys QID Coverage

Qualys has released the QID 92154 (Microsoft Windows Secure Kernel Mode and Update Stack Elevation of Privilege Vulnerability), starting with vulnsigs version VULNSIGS-2.6.114-2.

This detection logic utilizes WMI (Windows Management Instrumentation) to assess a system's status of Virtualization-Based Security (VBS). It queries the Win32_DeviceGuard class specifically for the VirtualizationBasedSecurityStatus attribute.

This QID will flag the system if the status is set to 1 (Enabled) or 2 (Enabled and Running), indicating that VBS is enabled on the device. This QID verifies security measures related to device and data integrity through hardware virtualization.

Recommended Actions

While waiting for Microsoft's security update, organizations can implement several measures to mitigate the risk:

1. Audit Object Access: Configure settings to monitor access attempts to critical files, such as handle creation and read/write operations.
2. Audit Sensitive Privilege Use: Identify and monitor the use of sensitive privileges to detect any unauthorized access or modifications.
3. Protect Cloud Users: Review Identity Protection's Risk Reports in Azure Active Directory and rotate credentials for flagged administrators. Enable Multi-Factor Authentication (MFA) to reduce exposure risk.

Leveraging Qualys TruRisk Platform to detect and mitigate the vulnerability

While these recommendations do not fully mitigate the vulnerability, they can help reduce the risk of exploitation until the security update is available:

Monitor any access or changes to Windows System Files in real time with Qualys File Integrity Monitoring (FIM)

This vulnerability enables an attacker with administrator privileges on the target system to replace current Windows system files with outdated versions.

Given the nature of this exploit, which involves file replacement, Qualys File Integrity Monitoring (FIM) will detect and respond to this activity in real time. The system will create incidents immediately upon detecting any suspicious activities on the target system. FIM continuously monitors and alerts on attempts to access files, such as handle creation, read/write operations, or modifications to security descriptors.

Setting up the monitoring scope

To monitor changes to system files in real time, you can either create a custom FIM rule or import Qualys' pre-defined FIM Profile from the Library. The pre-defined profile includes most of the critical system files that need real-time monitoring for any access. You also have the flexibility to customize the policy by adding more files to be monitored, thereby expanding your monitoring scope without affecting the host system.

Where Can I Find System Files on Windows?

The majority of Windows system files are stored in C:\Windows, especially in subfolders like System32 and SysWOW64. But you'll also find system files scattered throughout user folders (like the appdata folder) and app folders (like ProgramData or the Program Files folders).

Cancelling the Noise: Fine-Tuning Alerts

After selecting all the changes to be monitored, including file access, you will start receiving alerts. The next step involves fine-tuning these alerts by adding inclusion/exclusion filters. This helps in filtering out events from legitimate users and processes, thereby reducing false positives and ensuring that you receive only the events of interest.

Protect Cloud Users:

• Investigate user risk in Azure Active Directory by reviewing Identity Protection's Risk Reports. Rotate credentials for flagged administrators and enable Multi-Factor Authentication (MFA) to mitigate exposure risks.

Qualys' Risk Remediation solutions can significantly enhance your security posture against CVE-2024-21302.

Here's how:

• TruRisk Eliminate:
  • Provides real-time risk assessment and prioritizes vulnerabilities based on threat intelligence and asset criticality.
  • Helps identify and mitigate risks proactively, reducing the window of exposure.
• Patch Management:
  • Automates the deployment of patches once released by Microsoft, ensuring systems are updated promptly.
  • Integrates with Qualys Vulnerability Management to provide comprehensive protection against known vulnerabilities.

Detection and Monitoring

Microsoft Defender for Endpoint (MDE) has introduced a detection mechanism to alert users of any exploit attempts. Organizations using MDE should integrate and enable this feature for enhanced security monitoring.

Conclusion

CVE-2024-21302 poses a critical risk to Windows-based systems, especially those leveraging VBS. While Microsoft develops a security update, organizations must implement recommended actions and leverage tools like Qualys File Integrity Monitoring (FIM), TruRisk Eliminate, and Patch Management to mitigate potential threats. Stay vigilant and proactive to protect your infrastructure from this evolving vulnerability landscape.

Contributors

• Saeed Abbasi, Product Manager, Vulnerability Research, Qualys
• Lavish Jhamb, Senior Product Manager, Compliance Solutions, Qualys

Related

Public link

Please use the above public link if you want to share this noodl on another website.