Virtualization Based Security</a> (VBS) including a subset of Azure Virtual Machine SKUS; enabling an attacker with administrator privileges to replace current versions of Windows system files with outdated versions. By exploiting this vulnerability, an attacker could reintroduce previously mitigated vulnerabilities, circumvent some features of VBS, and exfiltrate data protected by VBS.</p> <p>Microsoft is developing a security update to mitigate this threat, but it is not yet available. Guidance to help customers reduce the risks associated with this vulnerability and to protect their systems until the mitigation is available in a Windows security update is provided in the <strong>Recommended Actions</strong> section of this CVE.</p> <p>This CVE will be updated when the mitigation is available in a Windows security update. We highly encourage customers to <a href=https://feedly.com/cve/"https://www.microsoft.com/en-us/msrc/technical-security-notifications?rtc=1%22>subscribe to Security Update Guide notifications to receive an alert when this update occurs.</p> <h2 id="details">Details:</h2> <p>A security researcher informed Microsoft of an elevation of privilege vulnerability in Windows 10, Windows 11, Windows Server 2016, and higher based systems including Azure Virtual Machines (VM) that support VBS. For more information on Windows versions and VM SKUs supporting VBS, reference: Virtualization-based Security (VBS) | Microsoft Learn.</p> <p>The vulnerability enables an attacker with administrator privileges on the target system to replace current Windows system files with outdated versions. Successful exploitation provides an attacker with the ability to reintroduce previously mitigated vulnerabilities, circumvent VBS security features, and exfiltrate data protected by VBS.</p> <p>Microsoft is developing a security update that will revoke outdated, unpatched VBS system files to mitigate this vulnerability, but it is not yet available. Due to the complexity of blocking such a large quantity of files, rigorous testing is required to avoid integration failures or regressions. This CVE will be updated with new information and links to the security updates once available. We highly encourage customers subscribe to Security Update Guide notifications to be alerted of updates. For more information see <a href=https://feedly.com/cve/"https://www.microsoft.com/en-us/msrc/technical-security-notifications?rtc=1%22>Microsoft Technical Security Notifications</a> and <a href=https://feedly.com/cve/"https://msrc-blog.microsoft.com/2022/08/09/security-update-guide-notification-system-news-create-your-profile-now/">Security Update Guide Notification System News: Create your profile now – Microsoft Security Response Center</a></p> <p>Microsoft is not aware of any attempts to exploit this vulnerability. However, a public presentation regarding this vulnerability was hosted at BlackHat on August 7, 2024. The presentation was appropriately coordinated with Microsoft but may change the threat landscape. Customers concerned with these risks should reference the guidance provided in the <strong>Recommended Actions</strong> section to protect their systems.</p> <h2 id="recommended-actions">Recommended Actions:</h2> <p>The following recommendations do not mitigate the vulnerability but can be used to reduce the risk of exploitation until the security update is available.</p> <p>Configure “Audit Object Access” settings to monitor attempts to access files, such as handle creation, read / write operations, or modifications to security descriptors.</p> <ul> <li><a href=https://feedly.com/cve/"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-file-system">Audit File System - Windows 10 | Microsoft Learn </a></li> <li><a href=https://feedly.com/cve/"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder">Apply a basic audit policy on a file or folder - Windows 10 | Microsoft Learn</a></li> </ul> <p>Auditing sensitive privileges used to identify access, modification, or replacement of VBS and Backup related files could help indicate attempts to exploit this vulnerability.</p> <ul> <li><a href=https://feedly.com/cve/"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-sensitive-privilege-use">Audit Sensitive Privilege Use - Windows 10 | Microsoft Learn</a></li> </ul> <p>Protect your cloud users on your tenant: Investigate the user risk by going to Azure Active Directory to review Identity Protection’s Risk Reports and rotate credentials for any flagged administrators. In addition, enable Multi-Factor Authentication to alleviate concerns about exposure.</p> <h2 id="detections">Detections:</h2> <p>A detection has been added to Microsoft Defender for Endpoint (MDE) to alert customers using this product of an exploit attempt. Instructions for how Azure customers can integrate and enable MDE with Defender for Cloud are found here:</p> <ul> <li><a href=https://feedly.com/cve/"https://learn.microsoft.com/en-us/defender-endpoint/azure-server-integration">Integration with Microsoft Defender for Cloud - Microsoft Defender for Endpoint | Microsoft Learn </a></li> <li><a href=https://feedly.com/cve/"https://learn.microsoft.com/en-us/azure/defender-for-cloud/enable-defender-for-endpoint">Enable the Defender for Endpoint integration - Microsoft Defender for Cloud | Microsoft Learn</a></li> </ul> <p><strong>Note</strong>: False positives may be triggered by legitimate operations due to detection logic. Customers should investigate any alert for this detection to validate the root cause.</p> CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C"/>Virtualization Based Security</a> (VBS) including a subset of Azure Virtual Machine SKUS; enabling an attacker with administrator privileges to replace current versions of Windows system files with outdated versions. By exploiting this vulnerability, an attacker could reintroduce previously mitigated vulnerabilities, circumvent some features of VBS, and exfiltrate data protected by VBS.</p> <p>Microsoft is developing a security update to mitigate this threat, but it is not yet available. Guidance to help customers reduce the risks associated with this vulnerability and to protect their systems until the mitigation is available in a Windows security update is provided in the <strong>Recommended Actions</strong> section of this CVE.</p> <p>This CVE will be updated when the mitigation is available in a Windows security update. We highly encourage customers to <a href=https://feedly.com/cve/"https://www.microsoft.com/en-us/msrc/technical-security-notifications?rtc=1%22>subscribe to Security Update Guide notifications to receive an alert when this update occurs.</p> <h2 id="details">Details:</h2> <p>A security researcher informed Microsoft of an elevation of privilege vulnerability in Windows 10, Windows 11, Windows Server 2016, and higher based systems including Azure Virtual Machines (VM) that support VBS. For more information on Windows versions and VM SKUs supporting VBS, reference: Virtualization-based Security (VBS) | Microsoft Learn.</p> <p>The vulnerability enables an attacker with administrator privileges on the target system to replace current Windows system files with outdated versions. Successful exploitation provides an attacker with the ability to reintroduce previously mitigated vulnerabilities, circumvent VBS security features, and exfiltrate data protected by VBS.</p> <p>Microsoft is developing a security update that will revoke outdated, unpatched VBS system files to mitigate this vulnerability, but it is not yet available. Due to the complexity of blocking such a large quantity of files, rigorous testing is required to avoid integration failures or regressions. This CVE will be updated with new information and links to the security updates once available. We highly encourage customers subscribe to Security Update Guide notifications to be alerted of updates. For more information see <a href=https://feedly.com/cve/"https://www.microsoft.com/en-us/msrc/technical-security-notifications?rtc=1%22>Microsoft Technical Security Notifications</a> and <a href=https://feedly.com/cve/"https://msrc-blog.microsoft.com/2022/08/09/security-update-guide-notification-system-news-create-your-profile-now/">Security Update Guide Notification System News: Create your profile now – Microsoft Security Response Center</a></p> <p>Microsoft is not aware of any attempts to exploit this vulnerability. However, a public presentation regarding this vulnerability was hosted at BlackHat on August 7, 2024. The presentation was appropriately coordinated with Microsoft but may change the threat landscape. Customers concerned with these risks should reference the guidance provided in the <strong>Recommended Actions</strong> section to protect their systems.</p> <h2 id="recommended-actions">Recommended Actions:</h2> <p>The following recommendations do not mitigate the vulnerability but can be used to reduce the risk of exploitation until the security update is available.</p> <p>Configure “Audit Object Access” settings to monitor attempts to access files, such as handle creation, read / write operations, or modifications to security descriptors.</p> <ul> <li><a href=https://feedly.com/cve/"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-file-system">Audit File System - Windows 10 | Microsoft Learn </a></li> <li><a href=https://feedly.com/cve/"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder">Apply a basic audit policy on a file or folder - Windows 10 | Microsoft Learn</a></li> </ul> <p>Auditing sensitive privileges used to identify access, modification, or replacement of VBS and Backup related files could help indicate attempts to exploit this vulnerability.</p> <ul> <li><a href=https://feedly.com/cve/"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-sensitive-privilege-use">Audit Sensitive Privilege Use - Windows 10 | Microsoft Learn</a></li> </ul> <p>Protect your cloud users on your tenant: Investigate the user risk by going to Azure Active Directory to review Identity Protection’s Risk Reports and rotate credentials for any flagged administrators. In addition, enable Multi-Factor Authentication to alleviate concerns about exposure.</p> <h2 id="detections">Detections:</h2> <p>A detection has been added to Microsoft Defender for Endpoint (MDE) to alert customers using this product of an exploit attempt. Instructions for how Azure customers can integrate and enable MDE with Defender for Cloud are found here:</p> <ul> <li><a href=https://feedly.com/cve/"https://learn.microsoft.com/en-us/defender-endpoint/azure-server-integration">Integration with Microsoft Defender for Cloud - Microsoft Defender for Endpoint | Microsoft Learn </a></li> <li><a href=https://feedly.com/cve/"https://learn.microsoft.com/en-us/azure/defender-for-cloud/enable-defender-for-endpoint">Enable the Defender for Endpoint integration - Microsoft Defender for Cloud | Microsoft Learn</a></li> </ul> <p><strong>Note</strong>: False positives may be triggered by legitimate operations due to detection logic. Customers should investigate any alert for this detection to validate the root cause.</p> CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C"/>
FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial
FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial

CVE-2024-21302

Improper Access Control (CWE-284)

Published: Aug 7, 2024

010
CVSS 6.7EPSS 0.04%Medium
CVE info copied to clipboard

Summary

An elevation of privilege vulnerability exists in Windows-based systems supporting Virtualization Based Security (VBS), including a subset of Azure Virtual Machine SKUs. This vulnerability allows an attacker with administrator privileges to replace current versions of Windows system files with outdated versions. The affected systems include Windows 10, Windows 11, Windows Server 2016, and higher versions, as well as certain Azure Virtual Machines that support VBS.

Impact

By exploiting this vulnerability, an attacker could: 1. Reintroduce previously mitigated vulnerabilities 2. Circumvent some features of Virtualization Based Security (VBS) 3. Exfiltrate data protected by VBS This could potentially lead to significant security compromises, especially in environments relying on VBS for enhanced protection.

Exploitation

There is no evidence that a public proof-of-concept exists. Its exploitation has been reported by various sources, including helpnetsecurity.com.

Patch

A patch is currently not available. Microsoft is developing a security update to mitigate this threat, but it has not yet been released. The update, when available, will revoke outdated, unpatched VBS system files to mitigate the vulnerability. Due to the complexity of blocking such a large quantity of files, rigorous testing is required to avoid integration failures or regressions.

Mitigation

While not fully mitigating the vulnerability, the following actions can reduce the risk of exploitation until a security update is available: 1. Configure "Audit Object Access" settings to monitor attempts to access files, such as handle creation, read/write operations, or modifications to security descriptors. 2. Implement auditing for sensitive privileges to identify access, modification, or replacement of VBS and Backup related files. 3. For cloud users, investigate user risk through Azure Active Directory's Identity Protection Risk Reports and rotate credentials for any flagged administrators. 4. Enable Multi-Factor Authentication to alleviate concerns about exposure. 5. For customers using Microsoft Defender for Endpoint (MDE), a detection has been added to alert of exploit attempts. Azure customers can integrate and enable MDE with Defender for Cloud for enhanced protection.

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

Timeline

CVSS

A CVSS base score of 6.7 has been assigned.

Aug 7, 2024 at 6:45 PM / microsoft
First Article

Feedly found the first article mentioning CVE-2024-21302. See article

Aug 7, 2024 at 6:47 PM / The Register
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Aug 7, 2024 at 6:47 PM
Threat Intelligence Report

The vulnerability CVE-2024-21302, reported by SafeBreach to Microsoft in February 2024, has a criticality level of [insert CVSS score if available]. If exploited in the wild, it could potentially be used by threat actors to compromise systems. Microsoft has issued a patch for this vulnerability, but downstream impacts to other third-party vendors or technologies are currently unknown. See article

Aug 7, 2024 at 8:24 PM
CVE Assignment

NVD published the first details for CVE-2024-21302

Aug 8, 2024 at 2:15 AM
Exploitation in the Wild

Attacks in the wild have been reported by Help Net Security. See article

Aug 8, 2024 at 9:54 AM / Help Net Security
Trending

This CVE started to trend in security discussions

Aug 8, 2024 at 4:40 PM
Trending

This CVE stopped trending in security discussions

Aug 10, 2024 at 7:37 PM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (92175)

Sep 27, 2024 at 7:53 AM
Static CVE Timeline Graph

Affected Systems

Microsoft/windows_10_1507
+null more

Patches

Microsoft
+null more

Links to Mitre Att&cks

T1546.004:
+null more

Attack Patterns

CAPEC-19: Embedding Scripts within Scripts
+null more

References

Guidance for blocking rollback of Virtualization-based Security (VBS) related security updates - Microsoft Support
Microsoft Support - Windows 11 / 7d
After the UEFI lock mitigations have been applied to a device, external boot media must be updated with the latest Windows updates installed on the device and with the Microsoft-signed revocation policy (SkuSiPolicy.p7b). In the "Available mitigations" section, support for the SKUSIPolicy.p7b and VbsSI_Audit.p7b policies for Windows 10, version 1507, Windows 10 Enterprise 2016, and Windows Server 2016 was added as part of the Windows updates released on and after October 8, 2024.
ADV24216903 - Security Update Guide - Microsoft - Windows Elevation of Privilege Vulnerability Chain Mitigation Guidance
Microsoft Security Response Center / 22d
Microsoft recently published CVE-2024-21302 and CVE-2024-38202, providing customers with the necessary guidance to safeguard vulnerable Windows systems and to reduce the risk of these vulnerabilities being exploited. We are publishing this MSRC advisory to explain the risks posed by chaining these vulnerabilities and raise awareness of the mitigation guidance available to customers due to the potential for the threat landscape to change.
Microsoft August 2024 Security Updates
NCSC-FI vulnerabilities summary 2024-08-13 / 3mo
Classification: Critical, Solution: Official Fix, Exploit Maturity: High, CVSSv3.1: 9.8, CVEs: CVE-2024-21302, CVE-2024-29995, CVE-2024-37968, CVE-2024-38063, CVE-2024-38084, CVE-2024-38098, CVE-2024-38106, CVE-2024-38107, CVE-2024-38108, CVE-2024-38109, CVE-2024-38114, CVE-2024-38115, CVE-2024-38116, CVE-2024-38117, CVE-2024-38118, CVE-2024-38120, CVE-2024-38121, CVE-2024-38122, CVE-2024-38123, CVE-2024-38125 (+82 other associated CVEs), Summary: https://www.bleepingcomputer.com/news/microsoft/microsoft-august-2024-patch-tuesday-fixes-9-zero-days-6-exploited/ Today is Microsoft's August 2024 Patch Tuesday, which includes security updates for 89 flaws, including six actively exploited and three publicly disclosed zero-days. Microsoft is still working on an update for a tenth publicly disclosed zero-day. This Patch Tuesday fixed eight critical vulnerabilities, which were a mixture of elevation of privileges, remote code execution, and information disclosure. The number of bugs in each vulnerability category is listed below:
See 27 more references

News

Guidance for blocking rollback of Virtualization-based Security (VBS) related security updates - Microsoft Support
Microsoft Support - Windows 11 / 7d
After the UEFI lock mitigations have been applied to a device, external boot media must be updated with the latest Windows updates installed on the device and with the Microsoft-signed revocation policy (SkuSiPolicy.p7b). In the "Available mitigations" section, support for the SKUSIPolicy.p7b and VbsSI_Audit.p7b policies for Windows 10, version 1507, Windows 10 Enterprise 2016, and Windows Server 2016 was added as part of the Windows updates released on and after October 8, 2024.
Downgrade attacks open patched systems to malware
Security Boulevard / 13d
In that work, Leviev demonstrated the use of a custom tool, Windows Downdate, that enabled him to downgrade critical Windows components such as dynamic link libraries (DLLs), drivers, and the NT kernel, swapping in older versions of key components with known, exploitable vulnerabilities, without being detected. In a blog post, Leviev, who now works for Microsoft, explained that his latest bypass could allow a malicious actor to load unsigned kernel drivers on a fully patched Windows system.
Downgrade attacks open patched systems to malware
ReversingLabs Blog / 13d
In that work, Leviev demonstrated the use of a custom tool, Windows Downdate, that enabled him to downgrade critical Windows components such as dynamic link libraries (DLLs), drivers, and the NT kernel, swapping in older versions of key components with known, exploitable vulnerabilities, without being detected. In a blog post, Leviev, who now works for Microsoft, explained that his latest bypass could allow a malicious actor to load unsigned kernel drivers on a fully patched Windows system.
Downgrade attacks open fully patched Windows systems to malware
Malware Analysis, News and Indicators - Latest topics / 13d
In a blog post, Leviev, who now works for Microsoft, explained that his latest bypass could allow a malicious actor to load unsigned kernel drivers on a fully patched Windows system. In that work, Leviev demonstrated the use of a custom tool, Windows Downdate, that enabled him to downgrade critical Windows components such as dynamic link libraries (DLLs), drivers, and the NT kernel, swapping in older versions of key components with known, exploitable vulnerabilities, without being detected.
Cybersecurity Threat Advisory: New Microsoft Windows vulnerabilities
Smarter MSP / 15d
Read this Cybersecurity Threat Advisory to learn more about how these vulnerabilities can be leveraged to exploit Microsoft Windows and how to protect your systems. In addition, these vulnerabilities can affect fully patched Windows systems, making it a major concern for both enterprises and individual users.
See 304 more articles and social media posts

CVSS V3.1

Attack Vector:Local
Attack Complexity:Low
Privileges Required:High
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

CVSS 6.7(29816)CWE-284(2759)Microsoft(12100)

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI

Feedly Threat Intelligence30-day free trial