https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-26158 <br/></td> CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"/>https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-26158 <br/></td> CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"/>

Exploit
CVE-2024-26158

Improper Link Resolution Before File Access ('Link Following') (CWE-59)

Published: Apr 9, 2024

010
CVSS 7.8EPSS 0.07%High
CVE info copied to clipboard

Summary

This vulnerability allows local attackers to escalate privileges on affected installations of Microsoft Windows. The specific flaw exists within the Windows Installer service. By creating a symbolic link, an attacker can abuse the service to write arbitrary registry values. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

Impact

An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. This could lead to complete compromise of the affected system, allowing the attacker to gain full control over the machine, potentially impacting the confidentiality, integrity, and availability of data and resources. The vulnerability has a CVSS v3.1 base score of 7.8, indicating a high severity. The impact on confidentiality, integrity, and availability is rated as HIGH.

Exploitation

One proof-of-concept exploit is available on zerodayinitiative.com. There is no evidence of proof of exploitation at the moment.

Patch

Microsoft has issued an update to correct this vulnerability. The patch is available, and details can be found at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-26158.

Mitigation

1. Apply the security update provided by Microsoft as soon as possible. 2. Implement the principle of least privilege to limit the potential impact of such vulnerabilities. 3. Monitor and restrict local access to systems, especially for non-administrative users. 4. Implement robust access controls and user authentication mechanisms. 5. Regularly audit and monitor system activities, particularly those involving the Windows Installer service and registry modifications.

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Timeline

Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (92128)

Apr 9, 2024 at 12:00 AM
First Article

Feedly found the first article mentioning CVE-2024-26158. See article

Apr 9, 2024 at 5:06 PM / Microsoft Security Advisories - MSRC
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Apr 9, 2024 at 5:07 PM
CVE Assignment

NVD published the first details for CVE-2024-26158

Apr 9, 2024 at 5:15 PM
EPSS

EPSS Score was set to: 0% (Percentile: 8%)

Apr 10, 2024 at 12:39 PM
EPSS

EPSS Score was set to: 0.04% (Percentile: 7.9%)

Apr 10, 2024 at 6:54 PM
Static CVE Timeline Graph

Affected Systems

Microsoft
+null more

Exploits

https://www.zerodayinitiative.com/advisories/ZDI-24-363/
+null more

Patches

Microsoft
+null more

Links to Mitre Att&cks

T1547.009: Shortcut Modification
+null more

Attack Patterns

CAPEC-132: Symlink Attack
+null more

Vendor Advisory

ZDI-24-363: Microsoft Windows Installer Service Link Following Local Privilege Escalation Vulnerability
This vulnerability allows local attackers to escalate privileges on affected installations of Microsoft Windows. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM.

News

Patch Tuesday April 2024: Lots of Fixes for Secure Boot and Remote Code Execution Vulnerabilities
System Admins and supporting teams will have a lot on their plates this month with the potential need to schedule in multiple reboots and additional mitigations to deal with Secure Boot vulnerabilities, and to contend with planning for impending end of support dates as well as changes in extended support for a range of Microsoft software and services. April’s Patch Tuesday brings fixes for 147 vulnerabilities with a handful of additional updates over the next few days to bring the total to 156 vulnerabilities being addressed this month as of writing.
27.770
Newly Added (43) D-Link.DIR-809.FormStaticDHCP.Hostname.Stack.Overflow D-Link.DIR-809.FromLogi.CurUid.Stack.Overflow D-Link.DIR-809.FormVirtualApp.Name.Stack.Overflow Linksys.E1200.ej_get_web_page_name.Buffer.Overflow D-Link.DIR-809.FormWlanSetup.SSID.Stack.Overflow D-Link.Router.FormLogin.FILECODE.Buffer.Overflow D-Link.DIR-605L.FormEasySetupWizard3.Stack.Overflow D-Link.Routers.HNAP.SetWan2Settings.Stack.Overflow D-Link.Routers.HNAP.SetWanSettings.Stack.Overflow D-Link.Routers.HNAP.SetQuickVPNSettings.PSK.Stack.Overflow D-Link.Routers.HNAP.SetDynamicDNSSettings.Stack.Overflow D-Link.Routers.HNAP.SetQuickVPNSettings.Password.Stack.Overflow D-Link.Routers.HNAP.SetSysEmailSettings.Stack.Overflow D-Link.Routers.HNAP.SetWLanRadioSecurity.Stack.Overflow D-Link.Routers.HNAP.SetWan3Settings.Stack.Overflow Linksys.WRT160NL.create_dir.Buffer.Overflow Nortek.Linear.eMerge.E3.CardFormatNo.XSS Barangay.Management.System.activity.php.Arbitrary.File.Upload Maipu.MP1800X.formDeviceVerGet.Information.Disclosure Doyocms.pay.php.SQL.Injection Nortek.Linear.eMerge.E3.Webuser.Privilege.Escalation Nortek.Linear.eMerge.E3.CVE-2019-7259.Information.Disclosure Doyocms.uploads.php.Arbitrary.File.Upload WordPress.wpDataTables.Plugin.get_wdtable.SQL.Injection FrogCMS.upload.php.Arbitrary.File.Upload D-Link.DIR-816.dir_setWanWifi.Command.Injection Hikvision.Intercom.Broadcasting.System.ping.Command.Injection In4Velocity.In4Suite.ERP.CheckLogin.asp.SQL.Injection Gibbon.School.Platform.import_run.Command.Injection Arcserve.Unified.Data.Protection.ASNative.dll.Validate.DoS SonLogger.SaveUploadedHotspotLogoFile.Arbitrary.File.Upload Hongdian.H8922.tools.cgi.Command.Injection Amcrest.Camera.NVR.Protocol.Field.Buffer.Overflow Apple.WebKit.IndexedDB.Handling.Use.After.Free Apple.Multiple.Products.CVE-2020-27930.Memory.Corruption Apple.WebKit.QuickTimePluginReplacement.Use.After.Free Google.Chrome.CVE-2021-37976.Information.Disclosure Google.Chrome.CVE-2021-21148.Heap.Buffer.Overflow J2eeFast.SysUserService.SQL.Injection LaCie.5big.Network.edconfd.Command.Injection ForgeRock.OpenAM.Webfinger.LDAP.Injection WordPress.WooCommerce.Blocks.collection-data.SQL.Injection HTTP2.Continuation.Frame.Flood.DoS Modified (20) MS.Windows.Kernel.CVE-2024-26218.Elevation.of.Privilege MS.Windows.RAR.File.CVE-2024-26256.Buffer.Overflow MS.Windows.DHCP.Server.Service.CVE-2024-26212.DoS WordPress.Supercache.wp-cache.Command.Injection PAN-OS.Management.Interface.ExtJS.Flash.XSS PAN-OS.Management.Interface.Upload.File.DoS MS.Windows.Libarchive.execute_filter_e8.Integer.Overflow MS.Windows.LSASS.CVE-2024-26209.Information.Disclosure Dojo.lang.setObject.Function.Remote.Code.Execution MS.Windows.Install.CVE-2024-26158.Elevation.of.Privilege Palo.Alto.Networks.Expedition.Migration.Tool.Command.Injection PAN-OS.Management.Interface.Source.Command.Injection Linux.kernel.UDP.MSG_PEEK.System.Call.Remote.Code.Execution WordPress.All.In.One.SEO.importIniData.Insecure.Deserialization GL.iNET.GL-AR300M.3.216.Command.Injection Embedthis.Appweb.authCondition.Authentication.Bypass Embedthis.Appweb.Empty.Range.Header.DoS GNU.GIMP.PSD.Image.Channel.Data.Parsing.Buffer.Overflow WordPress.Edit.Comments.Plugin.jal_edit_comments.SQL.Injection Palo.Alto.Networks.GlobalProtect.Command.Injection Removed (1) AVE.DOMINAplus.restart.php.DoS
A tumultuous, titanic Patch Tuesday as Microsoft makes some changes – Sophos News
The two issues from Lenovo are likewise related to boot processes, are characterized by Microsoft as important-severity Security Feature Bypass faults and are thought to be less likely to be exploited within the next 30 days. At patch time, three issues, all important-severity faults affecting Windows, are known to be under active exploit in the wild.
Microsoft April 2024 Patch Tuesday fixes 150 security flaws, 67 RCEs
Only three critical vulnerabilities were fixed as part of the April 2024 Patch Tuesday updates, but there are over 67 remote code execution bugs. More than half of the RCE flaws are found within Microsoft SQL drivers, likely sharing a common flaw.
[3] Zero Day Initiative — The April 2024 Security Updates Review
See 35 more articles and social media posts

CVSS V3.1

Attack Vector:Local
Attack Complexity:Low
Privileges Required:Low
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI