08/12/2024 | News release | Distributed by Public on 08/12/2024 18:54
On August 7, 2024, Microsoft disclosed a significant security vulnerability affecting Windows-based systems, known as CVE-2024-21302. This zero-day vulnerability allows attackers with administrator privileges to elevate their access by replacing current versions of Windows system files with outdated, vulnerable ones.
Exploitability
There are no known exploits in the wild, and Microsoft is unaware of any active exploitation. However, the public disclosure at Black Hat USA 2024 could change the threat landscape, making it imperative for organizations to take preemptive actions. As of the initial publication, exploitation is considered less likely due to the high privileges required and the complexity of the attack. However, vigilance is necessary, given the potential impact.
Executive Summary
CVE-2024-21302 affects Windows systems that support Virtualization-Based Security (VBS), including specific Azure Virtual Machine SKUs. This vulnerability could enable attackers to reintroduce previously mitigated vulnerabilities, bypass VBS security features, and exfiltrate sensitive data protected by VBS. Microsoft is actively developing a security update to address this issue but has not yet released it. In the interim, organizations must adopt proactive measures to safeguard their systems.
Detailed Analysis
The vulnerability, identified by a security researcher, specifically impacts Windows 10, Windows 11, Windows Server 2016, and higher versions, including Azure VMs with VBS enabled. The exploit allows an attacker with administrative access to replace current Windows system files with outdated versions, thereby undermining the security provided by VBS.
Impact Assessment
The vulnerability has a CVSS score of 6.7, categorized as "Important." Its potential impact includes:
Qualys QID Coverage
Qualys has released the QID 92154 (Microsoft Windows Secure Kernel Mode and Update Stack Elevation of Privilege Vulnerability), starting with vulnsigs version VULNSIGS-2.6.114-2.
This detection logic utilizes WMI (Windows Management Instrumentation) to assess a system's status of Virtualization-Based Security (VBS). It queries the Win32_DeviceGuard class specifically for the VirtualizationBasedSecurityStatus attribute.
This QID will flag the system if the status is set to 1 (Enabled) or 2 (Enabled and Running), indicating that VBS is enabled on the device. This QID verifies security measures related to device and data integrity through hardware virtualization.
Recommended Actions
While waiting for Microsoft's security update, organizations can implement several measures to mitigate the risk:
Leveraging Qualys TruRisk Platform to detect and mitigate the vulnerability
While these recommendations do not fully mitigate the vulnerability, they can help reduce the risk of exploitation until the security update is available:
Monitor any access or changes to Windows System Files in real time with Qualys File Integrity Monitoring (FIM)
This vulnerability enables an attacker with administrator privileges on the target system to replace current Windows system files with outdated versions.
Given the nature of this exploit, which involves file replacement, Qualys File Integrity Monitoring (FIM) will detect and respond to this activity in real time. The system will create incidents immediately upon detecting any suspicious activities on the target system. FIM continuously monitors and alerts on attempts to access files, such as handle creation, read/write operations, or modifications to security descriptors.
Setting up the monitoring scope
To monitor changes to system files in real time, you can either create a custom FIM rule or import Qualys' pre-defined FIM Profile from the Library. The pre-defined profile includes most of the critical system files that need real-time monitoring for any access. You also have the flexibility to customize the policy by adding more files to be monitored, thereby expanding your monitoring scope without affecting the host system.
Where Can I Find System Files on Windows?
The majority of Windows system files are stored in C:\Windows, especially in subfolders like System32 and SysWOW64. But you'll also find system files scattered throughout user folders (like the appdata folder) and app folders (like ProgramData or the Program Files folders).
Cancelling the Noise: Fine-Tuning Alerts
After selecting all the changes to be monitored, including file access, you will start receiving alerts. The next step involves fine-tuning these alerts by adding inclusion/exclusion filters. This helps in filtering out events from legitimate users and processes, thereby reducing false positives and ensuring that you receive only the events of interest.
Protect Cloud Users:
Qualys' Risk Remediation solutions can significantly enhance your security posture against CVE-2024-21302.
Here's how:
Detection and Monitoring
Microsoft Defender for Endpoint (MDE) has introduced a detection mechanism to alert users of any exploit attempts. Organizations using MDE should integrate and enable this feature for enhanced security monitoring.
Conclusion
CVE-2024-21302 poses a critical risk to Windows-based systems, especially those leveraging VBS. While Microsoft develops a security update, organizations must implement recommended actions and leverage tools like Qualys File Integrity Monitoring (FIM), TruRisk Eliminate, and Patch Management to mitigate potential threats. Stay vigilant and proactive to protect your infrastructure from this evolving vulnerability landscape.
Contributors
Related