Microsoft Windows Security Update Advisory (CVE-2024-21338) – ASEC BLOG

Overview
On February 13th, 2024, Microsoft announced a Windows Kernel Elevation of Privilege Vulnerability CVE-2024-21338 patch. The vulnerability occurs at certain IOCTL of “appid.sys” known as AppLocker‘s driver, one of the Windows feature. The threat actor can read and write on a random kernel memory by exploiting the vulnerability, and can either disable security products or gain system privilege. AVAST reported that the Lazarus threat group has recently used CVE-2024-21338 vulnerability to disable security products. Thus, Windows OS users are advised to apply the latest security patch for their systems.

Description
The act of exploiting a vulnerable driver to execute codes on kernel mode is called Bring Your Own Vulnerable Driver (BYOVD) (T1068). BYOVD is used to disable security products and gain access to system privileges. On September 22nd, 2022, ASEC Blog introduced the attack technique used by the Lazarus threat group, backed by North Korea. Their technique is used to disable security products, and this is identical to that of the aforementioned attack. At the time, Lazarus created a WinIO (open-source) based driver file in the system named “ene.sys”. However, it is assumed that the attack was carried out covertly as a vulnerable driver existed within the system for this particular attack. And since Microsoft’s normal driver modules were exploited, it will probably leave a huge impact.

Vulnerability and Patch Info

Vulnerability Info

  • CVE-2024-21338: Windows Kernel Elevation of Privilege Vulnerability (CVSS 3.1 Score: 7.8, High)

Patch Info

Windows versions affected by CVE-2024-21338 vulnerabilities are as follows:

  • Windows 10 Version 1809
  • Windows 10 Version 21H2
  • Windows 11 version 21H2
  • Windows 10 Version 22H2
  • Windows 11 Version 22H2
  • Windows 11 Version 23H2
  • Windows Server 2019
  • Windows Server 2019 (Server Core installation)
  • Windows Server 2022
  • Windows Server 2022 (Server Core installation)
  • Windows Server 2022, 23H2 Edition (Server Core installation)

The following table provides the patch details of the CVE-2024-21338 vulnerability categorized by product.

Release Date Product Build Number Patch Link Patch Document
Feb 13th, 2024 Windows Server 2022, 23H2 Edition (Server Core installation) 10.0.25398.709 https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034769 https://support.microsoft.com/help/5034769
Feb 13th, 2024 Windows 11 Version 23H2 for x64-based Systems 10.0.22631.3155 https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034765 https://support.microsoft.com/help/5034765
Feb 13th, 2024 Windows 11 Version 23H2 for ARM64-based Systems 10.0.22631.3155 https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034765 https://support.microsoft.com/help/5034765
Feb 13th, 2024 Windows 10 Version 22H2 for 32-bit Systems 10.0.19045.4046 https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034763 https://support.microsoft.com/help/5034763
Feb 13th, 2024 Windows 10 Version 22H2 for ARM64-based Systems 10.0.19045.4046 https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034763 https://support.microsoft.com/help/5034763
Feb 13th, 2024 Windows 10 Version 22H2 for x64-based Systems 10.0.19045.4046 https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034763 https://support.microsoft.com/help/5034763
Feb 13th, 2024 Windows 11 Version 22H2 for x64-based Systems 10.0.22621.3155 https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034765 https://support.microsoft.com/help/5034765
Feb 13th, 2024 Windows 11 Version 22H2 for ARM64-based Systems 10.0.22621.3155 https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034765 https://support.microsoft.com/help/5034765
Feb 13th, 2024 Windows 10 Version 21H2 for x64-based Systems 10.0.19044.4046 https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034763 https://support.microsoft.com/help/5034763
Feb 13th, 2024 Windows 10 Version 21H2 for ARM64-based Systems 10.0.19044.4046 https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034763 https://support.microsoft.com/help/5034763
Feb 13th, 2024 Windows 10 Version 21H2 for 32-bit Systems 10.0.19044.4046 https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034763 https://support.microsoft.com/help/5034763
Feb 13th, 2024 Windows 11 version 21H2 for ARM64-based Systems 10.0.22000.2777 https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034766 https://support.microsoft.com/help/5034766
Feb 13th, 2024 Windows 11 version 21H2 for x64-based Systems 10.0.22000.2777 https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034766 https://support.microsoft.com/help/5034766
Feb 13th, 2024 Windows Server 2022 (Server Core installation) 10.0.20348.2322 https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034770 https://support.microsoft.com/help/5034770
Feb 13th, 2024 Windows Server 2022 10.0.20348.2322 https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034770 https://support.microsoft.com/help/5034770
Feb 13th, 2024 Windows Server 2019 (Server Core installation) 10.0.17763.5458 https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034768 https://support.microsoft.com/help/5034768
Feb 13th, 2024 Windows Server 2019 10.0.17763.5458 https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034768 https://support.microsoft.com/help/5034768
Feb 13th, 2024 Windows 10 Version 1809 for ARM64-based Systems 10.0.17763.5458 https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034768 https://support.microsoft.com/help/5034768
Feb 13th, 2024 Windows 10 Version 1809 for x64-based Systems 10.0.17763.5458 https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034768 https://support.microsoft.com/help/5034768
Feb 13th, 2024 Windows 10 Version 1809 for 32-bit Systems 10.0.17763.5458 https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034768 https://support.microsoft.com/help/5034768

Solution

Update to the latest Microsoft Windows OS update
– https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21338

Reference

• Lazarus and the FudModule Rootkit: Beyond BYOVD with an Admin-to-Kernel Zero-Day – Avast Threat Labs
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21338
• https://knvd.krcert.or.kr/elkDetail.do?CVEID=CVE-2024-21338

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Source: Original Post


“An interesting youtube video that may be related to the article above”