August 2024 Patch Tuesday: 10 Critical Vulnerabilities Amid 89 CVEs
Published on Aug 13, 2024 • Last updated on Nov 15, 2024
August 2024 Risk Analysis
Critical Vulnerabilities
CVE-2024-38107
Windows Power Dependency Coordinator Elevation of Privilege Vulnerability
Exploit
A Use After Free vulnerability in the Windows Power Dependency Coordinator enables local attackers with low privileges to execute code and gain SYSTEM-level access without requiring user interaction. The vulnerability poses significant risk as it allows complete system compromise through privilege escalation, affecting confidentiality, integrity, and availability across multiple Windows versions. Given that this vulnerability is being actively exploited in the wild and has been added to the CISA Known Exploited Vulnerabilities catalog, immediate attention is warranted.
CVE-2024-38106
Windows Kernel Elevation of Privilege Vulnerability
Exploit
A Windows Kernel Elevation of Privilege vulnerability requiring an attacker to win a race condition can allow low-privileged users to gain SYSTEM-level access on affected Windows systems. This local attack vector requires no user interaction and, if successfully exploited, provides complete control over system confidentiality, integrity, and availability. The active exploitation of this vulnerability in the wild, combined with its inclusion in CISA's Known Exploited Vulnerabilities catalog, makes it a critical security risk requiring immediate attention.
CVE-2024-38063
Windows TCP/IP Remote Code Execution Vulnerability
Exploit
A critical remote code execution vulnerability in Windows TCP/IP stack allows unauthenticated attackers to send specially crafted IPv6 packets to execute arbitrary code on target systems without user interaction. The flaw affects multiple Windows versions and could enable attackers to gain full system access, including the ability to create accounts, modify data, and execute malicious programs, making it particularly dangerous for internet-facing systems. Given the availability of multiple proof-of-concept exploits and the vulnerability's low attack complexity, organizations face significant risk of exploitation if systems remain unpatched.
CVE-2024-38140
A memory corruption vulnerability exists in the Pragmatic General Multicast server in Microsoft Windows 10 Kernel. Specially crafted network packets can lead to access of stale memory structure resulting in memory corruption. An attacker can send a sequence of malicious packets to trigger this vulnerability.
A critical memory corruption vulnerability in the Windows Pragmatic General Multicast (PGM) server allows unauthenticated remote attackers to send specially crafted network packets to trigger memory corruption through stale memory structure access. The vulnerability requires no user interaction and can lead to complete system compromise with high impacts on confidentiality, integrity, and availability when exploited against systems with active PGM listeners. Given the low attack complexity and potential for remote code execution without authentication, this vulnerability poses a significant risk to affected Windows systems, particularly in enterprise environments where PGM multicast functionality is enabled.
CVE-2024-38193
Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
Exploit
A critical Use-After-Free vulnerability in the Windows Ancillary Function Driver for WinSock enables local attackers with low privileges to execute code without user interaction, potentially gaining SYSTEM-level access. The flaw affects multiple Windows versions including Server and desktop editions, with evidence of active exploitation in the wild making it a significant security risk. Given the vulnerability's low attack complexity and its potential to grant attackers full control over affected systems, including access to sensitive data and system modifications, immediate attention is required.
CVE-2024-38189
Microsoft Project Remote Code Execution Vulnerability
Exploit
A remote code execution vulnerability in Microsoft Project can be exploited through malicious Office Project files when macro security settings are disabled, allowing attackers to execute arbitrary code with the victim's privileges via either email-delivered files or web-hosted content. The vulnerability requires user interaction to open a malicious file and can result in unauthorized system access, data manipulation, and system compromise with high impacts on confidentiality, integrity, and availability. Given that proof-of-concept exploits are publicly available and the vulnerability is being actively exploited in the wild, immediate attention is required to protect affected systems.
CVE-2024-38178
Scripting Engine Memory Corruption Vulnerability
Exploit
A scripting engine memory corruption vulnerability in Microsoft Edge's Internet Explorer Mode allows unauthenticated attackers to execute arbitrary code when an authenticated user clicks a specially crafted URL. While the attack requires high complexity due to the need for Edge to be in Internet Explorer Mode, successful exploitation can lead to complete system compromise with the privileges of the current user, affecting confidentiality, integrity, and availability. The vulnerability is particularly concerning as it is being actively exploited in the wild, making remediation crucial for protecting against current threats.
CVE-2024-38144
Kernel Streaming WOW Thunk Service Driver Elevation of Privilege Vulnerability
A privilege escalation vulnerability in the Kernel Streaming WOW Thunk Service Driver allows network-based attacks with low complexity to gain SYSTEM-level privileges on affected Windows systems. The vulnerability requires minimal privileges to exploit and does not need user interaction, making it particularly dangerous for networks where attackers have gained initial access. Given the potential for complete system compromise and the high impact on confidentiality, integrity, and availability, this vulnerability poses a significant risk to organizational security.
CVE-2024-38199
Windows Line Printer Daemon (LPD) Service Remote Code Execution Vulnerability
Exploit
A critical remote code execution vulnerability in the Windows Line Printer Daemon (LPD) service allows unauthenticated attackers to execute arbitrary code by sending specially crafted print tasks across a network. While the LPD service is not enabled by default and has been deprecated since Windows Server 2012, systems with this service active are at severe risk as successful exploitation requires no user interaction and could lead to complete system compromise. The vulnerability's network-based attack vector combined with its potential for full system access makes it particularly dangerous for organizations running legacy printing services.
CVE-2024-38213
Windows Mark of the Web Security Feature Bypass Vulnerability
Exploit
A critical Windows Mark of the Web (MOTW) security feature bypass vulnerability enables attackers to circumvent security controls designed to protect users from untrusted files downloaded from the internet. When successfully exploited through user interaction with a malicious file, this vulnerability allows attackers to execute potentially malicious content without triggering standard security warnings or restrictions, resulting in possible system compromise. Given that this vulnerability is being actively exploited in the wild and has been added to the CISA Known Exploited Vulnerabilities list, immediate attention is warranted to prevent unauthorized code execution and system manipulation.
All vulnerabilities
CVE ID | CVSS Score | Product | Trend | Exploit |
|---|---|---|---|---|
CVE-2024-38223Windows Initial Machine Configuration Elevation of Privilege Vulnerability | CVSS 6.8 | windows | - | |
CVE-2024-38219Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability | CVSS 6.5 | edge | - | |
CVE-2024-38218Microsoft Edge (HTML-based) Memory Corruption Vulnerability | CVSS 8.4 | edge | - | |
CVE-2024-38215Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability | CVSS 7.8 | Windows | - | |
CVE-2024-38214Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability | CVSS 6.5 | windows | - | |
CVE-2024-38213Windows Mark of the Web Security Feature Bypass Vulnerability | CVSS 6.5 | windows | Aug 13, 2024 | |
CVE-2024-38211Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability | CVSS 8.2 | dynamics_365 | - | |
CVE-2024-38206<p>An authenticated attacker can bypass Server-Side Request Forgery (SSRF) protection in Microsoft Copilot Studio to leak sensitive information over a network.</p>
| CVSS 8.5 | copilot_studio | - | |
CVE-2024-38202<h1 id="summary">Summary</h1>
<p>Microsoft was notified that an elevation of privilege vulnerability exists in Windows Backup, potentially enabling an attacker with basic user privileges to reintroduce previously mitigated vulnerabilities or circumvent some features of Virtualization Based Security (VBS). However, an attacker attempting to exploit this vulnerability requires additional interaction by a privileged user to be successful.</p>
<p>Microsoft is developing a security update to mitigate this threat, but it is not yet available. Guidance to help customers reduce the risks associated with this vulnerability and to protect their systems until the mitigation is available in a Windows security update is provided in the <strong>Recommended Actions</strong> section of this CVE.</p>
<p>This CVE will be updated, and customers will be notified when the official mitigation is available in a Windows security update. We highly encourage customers to subscribe to Security Update Guide notifications to receive an alert when this update occurs.</p>
<h2 id="details">Details</h2>
<p>A security researcher informed Microsoft of an elevation of privilege vulnerability in Windows Backup potentially enabling an attacker with basic user privileges to reintroduce previously mitigated vulnerabilities or circumvent some features of VBS. For exploitation to succeed, an attacker must trick or convince an Administrator or a user with delegated permissions into performing a system restore which inadvertently triggers the vulnerability.</p>
<p>Microsoft is developing a security update that will mitigate this vulnerability, but it is not yet available. This CVE will be updated with new information and links to the security updates once available. We highly encourage customers subscribe to Security Update Guide notifications to be alerted of updates. See <a href="https://www.microsoft.com/en-us/msrc/technical-security-notifications?rtc=1">Microsoft Technical Security Notifications</a> and <a href="https://msrc-blog.microsoft.com/2022/08/09/security-update-guide-notification-system-news-create-your-profile-now/">Security Update Guide Notification System News: Create your profile now – Microsoft Security Response Center</a>.</p>
<p>Microsoft is not aware of any attempts to exploit this vulnerability. However, a public presentation regarding this vulnerability was hosted at BlackHat on August 7, 2024. The presentation was appropriately coordinated with Microsoft but may change the threat landscape. Customers concerned with these risks should reference the guidance provided in the <strong>Recommended Actions</strong> section to protect their systems.</p>
<h2 id="recommended-actions">Recommended Actions</h2>
<p>The following recommendations do not mitigate the vulnerability but can be used to reduce the risk of exploitation until the security update is available.</p>
<ul>
<li><p>Audit users with permission to perform Backup and Restore operations to ensure only the appropriate users can perform these operations.</p>
<ul>
<li><a href="https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege">Audit: Audit the use of Backup and Restore privilege (Windows 10) - Windows 10 | Microsoft Learn</a></li>
</ul>
</li>
<li><p>Implement an Access Control List or Discretionary Access Control Lists to restrict the access or modification of Backup files and perform Restore operations to appropriate users, for example administrators only.</p>
<ul>
<li><a href="https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-sensitive-privilege-use">Access Control overview | Microsoft Learn</a></li>
<li><a href="https://learn.microsoft.com/en-us/windows/win32/secbp/creating-a-dacl">Discretionary Access Control Lists (DACL)</a></li>
</ul>
</li>
<li><p>Auditing sensitive privileges used to identify access, modification, or replacement of Backup related files could help indicate attempts to exploit this vulnerability.</p>
<ul>
<li><a href="https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-sensitive-privilege-use">Audit Sensitive Privilege Use - Windows 10 | Microsoft Learn</a></li>
</ul>
</li>
</ul>
| CVSS 7.3 | windows | Aug 8, 2024 | |
CVE-2024-38201Azure Stack Hub Elevation of Privilege Vulnerability | CVSS 7 | azure_stack_hub | - | |
CVE-2024-38200Microsoft Office Spoofing Vulnerability | CVSS 6.5 | 365_apps | Aug 13, 2024 | |
CVE-2024-38199Windows Line Printer Daemon (LPD) Service Remote Code Execution Vulnerability | CVSS 9.8 | Windows | Aug 13, 2024 | |
CVE-2024-38198Windows Print Spooler Elevation of Privilege Vulnerability | CVSS 7.5 | Windows | - | |
CVE-2024-38197Microsoft Teams for iOS Spoofing Vulnerability | CVSS 6.5 | teams | - | |
CVE-2024-38196Windows Common Log File System Driver Elevation of Privilege Vulnerability | CVSS 7.8 | windows | - | |
CVE-2024-38195Azure CycleCloud Remote Code Execution Vulnerability | CVSS 7.8 | azure_cyclecloud | - | |
CVE-2024-38193Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability | CVSS 7.8 | Windows | Aug 13, 2024 | |
CVE-2024-38191Kernel Streaming Service Driver Elevation of Privilege Vulnerability | CVSS 7.8 | windows | - | |
CVE-2024-38189Microsoft Project Remote Code Execution Vulnerability | CVSS 8.8 | 365_apps | Aug 13, 2024 | |
CVE-2024-38187An out-of-bounds read vulnerability exists in the License Update Field Type 0x20 functionality of Microsoft Windows CLIPSP.SYS 10.0.22621 Build 22621, 10.0.26080.1 and 10.0.26085.1. A specially crafted license blob can lead to denial of service. An attacker can use the NtQuerySystemInformation function call to trigger this vulnerability. | CVSS 7.8 | windows | - | |
CVE-2024-38186A privilege escalation vulnerability exists in the License update functionality of Microsoft CLIPSP.SYS 10.0.22621 Build 22621, 10.0.26080.1 and 10.0.26085.1. A specially crafted license blob can lead to privilege escalation. An attacker can use the NtQuerySystemInformation function call to trigger this vulnerability. | CVSS 7.8 | windows | - | |
CVE-2024-38185Multiple out-of-bounds read vulnerabilities exists in the License update functionality of Microsoft CLIPSP.SYS 10.0.22621 Build 22621, 10.0.26080.1 and 10.0.26085.1. A specially crafted license blob can lead to information disclosure. An attacker can use the NtQuerySystemInformation function call to trigger this vulnerability. | CVSS 7.8 | windows | - | |
CVE-2024-38184A signature check bypass vulnerability exists in the License update functionality of Microsoft CLIPSP.SYS 10.0.22621 Build 22621, 10.0.26080.1 and 10.0.26085.1. A specially crafted license blob can lead to license tampering. An attacker can use the NtQuerySystemInformation function call to trigger this vulnerability. | CVSS 7.8 | windows | - | |
CVE-2024-38180Windows SmartScreen Security Feature Bypass Vulnerability | CVSS 8.8 | windows | - | |
CVE-2024-38178Scripting Engine Memory Corruption Vulnerability | CVSS 7.5 | windows | Aug 13, 2024 | |
CVE-2024-38177Windows App Installer Spoofing Vulnerability | CVSS 7.8 | app_installer | - | |
CVE-2024-38173Microsoft Outlook Remote Code Execution Vulnerability | CVSS 6.7 | 365_apps | - | |
CVE-2024-38172Microsoft Excel Remote Code Execution Vulnerability | CVSS 7.8 | 365_apps | - | |
CVE-2024-38171Microsoft PowerPoint Remote Code Execution Vulnerability | CVSS 7.8 | 365_apps | - | |
CVE-2024-38170Microsoft Excel Remote Code Execution Vulnerability | CVSS 7.1 | 365_apps | - | |
CVE-2024-38169Microsoft Office Visio Remote Code Execution Vulnerability | CVSS 7.8 | 365_apps | - | |
CVE-2024-38168Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 8.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. A vulnerability exists in .NET when an attacker through unauthenticated requests may trigger a Denial of Service in ASP.NET HTTP.sys web server. This is a windows OS only vulnerability. | CVSS 7.5 | .net | - | |
CVE-2024-38167Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 8.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. A vulnerability exists in .NET runtime TlsStream which may result in Information Disclosure. | CVSS 6.5 | .net | - | |
CVE-2024-38166<p>An unauthenticated attacker can exploit improper neutralization of input during web page generation in Microsoft Dynamics 365 to spoof over a network by tricking a user to click on a link.</p>
| CVSS 8.2 | dynamics_365 | - | |
CVE-2024-38165Windows Compressed Folder Tampering Vulnerability | CVSS 6.5 | windows | - | |
CVE-2024-38163Windows Update Stack Elevation of Privilege Vulnerability | CVSS 7.8 | windows | - | |
CVE-2024-38162Azure Connected Machine Agent Elevation of Privilege Vulnerability | CVSS 7.8 | azure_connected_machine_agent | - | |
CVE-2024-38161Windows Mobile Broadband Driver Remote Code Execution Vulnerability | CVSS 6.8 | windows_10_1809 | - | |
CVE-2024-38160Windows Network Virtualization Remote Code Execution Vulnerability | CVSS 9.1 | windows | - | |
CVE-2024-38159Windows Network Virtualization Remote Code Execution Vulnerability | CVSS 9.1 | windows | - | |
CVE-2024-38158Azure IoT SDK Remote Code Execution Vulnerability | CVSS 7 | azure | - | |
CVE-2024-38157Azure IoT SDK Remote Code Execution Vulnerability | CVSS 7 | azure | - | |
CVE-2024-38155Security Center Broker Information Disclosure Vulnerability | CVSS 5.5 | windows | - | |
CVE-2024-38154Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability | CVSS 8.8 | windows | - | |
CVE-2024-38153Windows Kernel Elevation of Privilege Vulnerability | CVSS 7.8 | windows | Aug 13, 2024 | |
CVE-2024-38152Windows OLE Remote Code Execution Vulnerability | CVSS 7.8 | windows | - | |
CVE-2024-38151Windows Kernel Information Disclosure Vulnerability | CVSS 5.5 | windows | - | |
CVE-2024-38150Windows DWM Core Library Elevation of Privilege Vulnerability | CVSS 7.8 | windows | - | |
CVE-2024-38148Windows Secure Channel Denial of Service Vulnerability | CVSS 7.5 | windows | - | |
CVE-2024-38147Microsoft DWM Core Library Elevation of Privilege Vulnerability | CVSS 7.8 | windows_10_21h2 | - | |
CVE-2024-38146Windows Layer-2 Bridge Network Driver Denial of Service Vulnerability | CVSS 7.5 | windows_10_1507 | - | |
CVE-2024-38145Windows Layer-2 Bridge Network Driver Denial of Service Vulnerability | CVSS 7.5 | windows | - | |
CVE-2024-38144Kernel Streaming WOW Thunk Service Driver Elevation of Privilege Vulnerability | CVSS 8.8 | windows_10_1507 | - | |
CVE-2024-38143Windows WLAN AutoConfig Service Elevation of Privilege Vulnerability | CVSS 4.2 | Windows | - | |
CVE-2024-38142Windows Secure Kernel Mode Elevation of Privilege Vulnerability | CVSS 7.8 | windows | - | |
CVE-2024-38141Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability | CVSS 7.8 | Windows | Aug 13, 2024 | |
CVE-2024-38140A memory corruption vulnerability exists in the Pragmatic General Multicast server in Microsoft Windows 10 Kernel. Specially crafted network packets can lead to access of stale memory structure resulting in memory corruption. An attacker can send a sequence of malicious packets to trigger this vulnerability. | CVSS 9.8 | windows | - | |
CVE-2024-38138Windows Deployment Services Remote Code Execution Vulnerability | CVSS 7.5 | windows | - | |
CVE-2024-38137Windows Resource Manager PSM Service Extension Elevation of Privilege Vulnerability | CVSS 7 | Windows | - | |
CVE-2024-38136Windows Resource Manager PSM Service Extension Elevation of Privilege Vulnerability | CVSS 7 | Windows | - | |
CVE-2024-38135Windows Resilient File System (ReFS) Elevation of Privilege Vulnerability | CVSS 7.8 | windows | - | |
CVE-2024-38134Kernel Streaming WOW Thunk Service Driver Elevation of Privilege Vulnerability | CVSS 7.8 | windows | - | |
CVE-2024-38133Windows Kernel Elevation of Privilege Vulnerability | CVSS 7.8 | windows | - | |
CVE-2024-38132Windows Network Address Translation (NAT) Denial of Service Vulnerability | CVSS 7.5 | windows | - | |
CVE-2024-38131Clipboard Virtual Channel Extension Remote Code Execution Vulnerability | CVSS 8.8 | remote_desktop | - | |
CVE-2024-38130Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability | CVSS 8.8 | windows | - | |
CVE-2024-38128Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability | CVSS 8.8 | windows | - | |
CVE-2024-38127Windows Hyper-V Elevation of Privilege Vulnerability | CVSS 7.8 | windows | - | |
CVE-2024-38126Windows Network Address Translation (NAT) Denial of Service Vulnerability | CVSS 7.5 | windows | - | |
CVE-2024-38125Kernel Streaming WOW Thunk Service Driver Elevation of Privilege Vulnerability | CVSS 7.8 | windows | - | |
CVE-2024-38123Windows Bluetooth Driver Information Disclosure Vulnerability | CVSS 4.4 | windows | - | |
CVE-2024-38122Microsoft Local Security Authority (LSA) Server Information Disclosure Vulnerability | CVSS 5.5 | server | - | |
CVE-2024-38121Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability | CVSS 8.8 | windows | - | |
CVE-2024-38120Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability | CVSS 8.8 | windows | - | |
CVE-2024-38118Microsoft Local Security Authority (LSA) Server Information Disclosure Vulnerability | CVSS 5.5 | server | - | |
CVE-2024-38117NTFS Elevation of Privilege Vulnerability | CVSS 7.8 | windows | - | |
CVE-2024-38116Windows IP Routing Management Snapin Remote Code Execution Vulnerability | CVSS 8.8 | windows | - | |
CVE-2024-38115Windows IP Routing Management Snapin Remote Code Execution Vulnerability | CVSS 8.8 | windows | - | |
CVE-2024-38114Windows IP Routing Management Snapin Remote Code Execution Vulnerability | CVSS 8.8 | windows | - | |
CVE-2024-38109<p>An authenticated attacker can exploit an Server-Side Request Forgery (SSRF) vulnerability in Microsoft Azure Health Bot to elevate privileges over a network.</p>
| CVSS 9.1 | azure | - | |
CVE-2024-38108Azure Stack Hub Spoofing Vulnerability | CVSS 9.3 | azure_stack_hub | - | |
CVE-2024-38107Windows Power Dependency Coordinator Elevation of Privilege Vulnerability | CVSS 7.8 | Windows | Aug 13, 2024 | |
CVE-2024-38106Windows Kernel Elevation of Privilege Vulnerability | CVSS 7 | windows | Aug 13, 2024 | |
CVE-2024-38098Azure Connected Machine Agent Elevation of Privilege Vulnerability | CVSS 7.8 | azure_connected_machine_agent | - | |
CVE-2024-38084Microsoft OfficePlus Elevation of Privilege Vulnerability | CVSS 7.8 | officeplus | - | |
CVE-2024-38063Windows TCP/IP Remote Code Execution Vulnerability | CVSS 9.8 | windows | Sep 8, 2024 | |
CVE-2024-37968Windows DNS Spoofing Vulnerability | CVSS 7.5 | windows_server_2008 | - | |
CVE-2024-29995Windows Kerberos Elevation of Privilege Vulnerability | CVSS 8.1 | windows | - | |
CVE-2024-21302<h1 id="summary">Summary:</h1>
<p>Microsoft was notified that an elevation of privilege vulnerability exists in Windows based systems supporting <a href="https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-vbs">Virtualization Based Security</a> (VBS) including a subset of Azure Virtual Machine SKUS; enabling an attacker with administrator privileges to replace current versions of Windows system files with outdated versions. By exploiting this vulnerability, an attacker could reintroduce previously mitigated vulnerabilities, circumvent some features of VBS, and exfiltrate data protected by VBS.</p>
<p>Microsoft is developing a security update to mitigate this threat, but it is not yet available. Guidance to help customers reduce the risks associated with this vulnerability and to protect their systems until the mitigation is available in a Windows security update is provided in the <strong>Recommended Actions</strong> section of this CVE.</p>
<p>This CVE will be updated when the mitigation is available in a Windows security update. We highly encourage customers to <a href="https://www.microsoft.com/en-us/msrc/technical-security-notifications?rtc=1">subscribe</a> to Security Update Guide notifications to receive an alert when this update occurs.</p>
<h2 id="details">Details:</h2>
<p>A security researcher informed Microsoft of an elevation of privilege vulnerability in Windows 10, Windows 11, Windows Server 2016, and higher based systems including Azure Virtual Machines (VM) that support VBS. For more information on Windows versions and VM SKUs supporting VBS, reference: Virtualization-based Security (VBS) | Microsoft Learn.</p>
<p>The vulnerability enables an attacker with administrator privileges on the target system to replace current Windows system files with outdated versions. Successful exploitation provides an attacker with the ability to reintroduce previously mitigated vulnerabilities, circumvent VBS security features, and exfiltrate data protected by VBS.</p>
<p>Microsoft is developing a security update that will revoke outdated, unpatched VBS system files to mitigate this vulnerability, but it is not yet available. Due to the complexity of blocking such a large quantity of files, rigorous testing is required to avoid integration failures or regressions. This CVE will be updated with new information and links to the security updates once available. We highly encourage customers subscribe to Security Update Guide notifications to be alerted of updates. For more information see <a href="https://www.microsoft.com/en-us/msrc/technical-security-notifications?rtc=1">Microsoft Technical Security Notifications</a> and <a href="https://msrc-blog.microsoft.com/2022/08/09/security-update-guide-notification-system-news-create-your-profile-now/">Security Update Guide Notification System News: Create your profile now – Microsoft Security Response Center</a></p>
<p>Microsoft is not aware of any attempts to exploit this vulnerability. However, a public presentation regarding this vulnerability was hosted at BlackHat on August 7, 2024. The presentation was appropriately coordinated with Microsoft but may change the threat landscape. Customers concerned with these risks should reference the guidance provided in the <strong>Recommended Actions</strong> section to protect their systems.</p>
<h2 id="recommended-actions">Recommended Actions:</h2>
<p>The following recommendations do not mitigate the vulnerability but can be used to reduce the risk of exploitation until the security update is available.</p>
<p>Configure “Audit Object Access” settings to monitor attempts to access files, such as handle creation, read / write operations, or modifications to security descriptors.</p>
<ul>
<li><a href="https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-file-system">Audit File System - Windows 10 | Microsoft Learn </a></li>
<li><a href="https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder">Apply a basic audit policy on a file or folder - Windows 10 | Microsoft Learn</a></li>
</ul>
<p>Auditing sensitive privileges used to identify access, modification, or replacement of VBS and Backup related files could help indicate attempts to exploit this vulnerability.</p>
<ul>
<li><a href="https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-sensitive-privilege-use">Audit Sensitive Privilege Use - Windows 10 | Microsoft Learn</a></li>
</ul>
<p>Protect your cloud users on your tenant: Investigate the user risk by going to Azure Active Directory to review Identity Protection’s Risk Reports and rotate credentials for any flagged administrators. In addition, enable Multi-Factor Authentication to alleviate concerns about exposure.</p>
<h2 id="detections">Detections:</h2>
<p>A detection has been added to Microsoft Defender for Endpoint (MDE) to alert customers using this product of an exploit attempt. Instructions for how Azure customers can integrate and enable MDE with Defender for Cloud are found here:</p>
<ul>
<li><a href="https://learn.microsoft.com/en-us/defender-endpoint/azure-server-integration">Integration with Microsoft Defender for Cloud - Microsoft Defender for Endpoint | Microsoft Learn </a></li>
<li><a href="https://learn.microsoft.com/en-us/azure/defender-for-cloud/enable-defender-for-endpoint">Enable the Defender for Endpoint integration - Microsoft Defender for Cloud | Microsoft Learn</a></li>
</ul>
<p><strong>Note</strong>: False positives may be triggered by legitimate operations due to detection logic. Customers should investigate any alert for this detection to validate the root cause.</p>
| CVSS 6.7 | windows_10 | Aug 8, 2024 |
