FOCUS MODE
EXTRACT IOC
MINDMAP
Cyber Security News

Microsoft Windows Security Update Advisory (CVE-2024-21338) – ASEC BLOG

admin
Overview
On February 13th, 2024, Microsoft announced a Windows Kernel Elevation of Privilege Vulnerability CVE-2024-21338 patch. The vulnerability occurs at certain IOCTL of “appid.sys” known as AppLocker‘s driver, one of the Windows feature. The threat actor can read and write on a random kernel memory by exploiting the vulnerability, and can either disable security products or gain system privilege. AVAST reported that the Lazarus threat group has recently used CVE-2024-21338 vulnerability to disable security products. Thus, Windows OS users are advised to apply the latest security patch for their systems.

Description
The act of exploiting a vulnerable driver to execute codes on kernel mode is called Bring Your Own Vulnerable Driver (BYOVD) (T1068). BYOVD is used to disable security products and gain access to system privileges. On September 22nd, 2022, ASEC Blog introduced the attack technique used by the Lazarus threat group, backed by North Korea. Their technique is used to disable security products, and this is identical to that of the aforementioned attack. At the time, Lazarus created a WinIO (open-source) based driver file in the system named “ene.sys”. However, it is assumed that the attack was carried out covertly as a vulnerable driver existed within the system for this particular attack. And since Microsoft’s normal driver modules were exploited, it will probably leave a huge impact.

Vulnerability and Patch Info

Vulnerability Info

  • CVE-2024-21338: Windows Kernel Elevation of Privilege Vulnerability (CVSS 3.1 Score: 7.8, High)

Patch Info

Windows versions affected by CVE-2024-21338 vulnerabilities are as follows:

  • Windows 10 Version 1809
  • Windows 10 Version 21H2
  • Windows 11 version 21H2
  • Windows 10 Version 22H2
  • Windows 11 Version 22H2
  • Windows 11 Version 23H2
  • Windows Server 2019
  • Windows Server 2019 (Server Core installation)
  • Windows Server 2022
  • Windows Server 2022 (Server Core installation)
  • Windows Server 2022, 23H2 Edition (Server Core installation)

The following table provides the patch details of the CVE-2024-21338 vulnerability categorized by product.

Release DateProductBuild NumberPatch LinkPatch Document
Feb 13th, 2024Windows Server 2022, 23H2 Edition (Server Core installation)10.0.25398.709https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034769https://support.microsoft.com/help/5034769
Feb 13th, 2024Windows 11 Version 23H2 for x64-based Systems10.0.22631.3155https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034765https://support.microsoft.com/help/5034765
Feb 13th, 2024Windows 11 Version 23H2 for ARM64-based Systems10.0.22631.3155https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034765https://support.microsoft.com/help/5034765
Feb 13th, 2024Windows 10 Version 22H2 for 32-bit Systems10.0.19045.4046https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034763https://support.microsoft.com/help/5034763
Feb 13th, 2024Windows 10 Version 22H2 for ARM64-based Systems10.0.19045.4046https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034763https://support.microsoft.com/help/5034763
Feb 13th, 2024Windows 10 Version 22H2 for x64-based Systems10.0.19045.4046https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034763https://support.microsoft.com/help/5034763
Feb 13th, 2024Windows 11 Version 22H2 for x64-based Systems10.0.22621.3155https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034765https://support.microsoft.com/help/5034765
Feb 13th, 2024Windows 11 Version 22H2 for ARM64-based Systems10.0.22621.3155https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034765https://support.microsoft.com/help/5034765
Feb 13th, 2024Windows 10 Version 21H2 for x64-based Systems10.0.19044.4046https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034763https://support.microsoft.com/help/5034763
Feb 13th, 2024Windows 10 Version 21H2 for ARM64-based Systems10.0.19044.4046https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034763https://support.microsoft.com/help/5034763
Feb 13th, 2024Windows 10 Version 21H2 for 32-bit Systems10.0.19044.4046https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034763https://support.microsoft.com/help/5034763
Feb 13th, 2024Windows 11 version 21H2 for ARM64-based Systems10.0.22000.2777https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034766https://support.microsoft.com/help/5034766
Feb 13th, 2024Windows 11 version 21H2 for x64-based Systems10.0.22000.2777https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034766https://support.microsoft.com/help/5034766
Feb 13th, 2024Windows Server 2022 (Server Core installation)10.0.20348.2322https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034770https://support.microsoft.com/help/5034770
Feb 13th, 2024Windows Server 202210.0.20348.2322https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034770https://support.microsoft.com/help/5034770
Feb 13th, 2024Windows Server 2019 (Server Core installation)10.0.17763.5458https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034768https://support.microsoft.com/help/5034768
Feb 13th, 2024Windows Server 201910.0.17763.5458https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034768https://support.microsoft.com/help/5034768
Feb 13th, 2024Windows 10 Version 1809 for ARM64-based Systems10.0.17763.5458https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034768https://support.microsoft.com/help/5034768
Feb 13th, 2024Windows 10 Version 1809 for x64-based Systems10.0.17763.5458https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034768https://support.microsoft.com/help/5034768
Feb 13th, 2024Windows 10 Version 1809 for 32-bit Systems10.0.17763.5458https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034768https://support.microsoft.com/help/5034768

Solution

Update to the latest Microsoft Windows OS update
– https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21338

Reference

• Lazarus and the FudModule Rootkit: Beyond BYOVD with an Admin-to-Kernel Zero-Day – Avast Threat Labs
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21338
• https://knvd.krcert.or.kr/elkDetail.do?CVEID=CVE-2024-21338

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Source: Original Post

“An interesting youtube video that may be related to the article above”

Views: 0

Tags: VULNERABILITY, WINDOWS, ZERO-DAY, IMPACT, PRIVILEGE, CVE, PATCH
en en