CVE-2024-29995

Observable Timing Discrepancy (CWE-208)

Published: Aug 13, 2024

010
CVSS 8.1EPSS 0.16%High
CVE info copied to clipboard

Summary

Windows Kerberos Elevation of Privilege Vulnerability. This is a high-severity vulnerability with a CVSS base score of 8.1. It affects the Windows Kerberos system and can be exploited remotely over the network without requiring user interaction or privileges. The attack complexity is high.

Impact

If successfully exploited, this vulnerability could lead to a significant breach of security. The attacker could potentially gain elevated privileges, allowing them to execute arbitrary code, access sensitive information, or perform unauthorized actions on the affected system. The impact on confidentiality, integrity, and availability is rated as HIGH, indicating that the vulnerability could result in a severe compromise of the system's security.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. Microsoft has released an official fix for this vulnerability. The patch was added on August 13, 2024.

Mitigation

1. Apply the official patch released by Microsoft as soon as possible. 2. Prioritize this update high in your patching schedule due to its severity (CVSS score 8.1) and potential impact. 3. Monitor your Windows systems for any suspicious activities related to Kerberos authentication. 4. Implement network segmentation to limit the potential spread if a system is compromised. 5. Ensure that all systems are kept up-to-date with the latest security patches, not just for this vulnerability but as a general practice. 6. Consider implementing additional access controls and monitoring for privileged accounts. 7. Review and restrict network access to Kerberos-related services where possible.

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

Timeline

Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (92160)

Aug 13, 2024 at 7:53 AM
CVSS

A CVSS base score of 8.1 has been assigned.

Aug 13, 2024 at 5:35 PM / microsoft
First Article

Feedly found the first article mentioning CVE-2024-29995. See article

Aug 13, 2024 at 5:37 PM / Microsoft Security Advisories - MSRC
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Aug 13, 2024 at 5:38 PM
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Aug 13, 2024 at 5:47 PM
CVE Assignment

NVD published the first details for CVE-2024-29995

Aug 13, 2024 at 6:15 PM
Threat Intelligence Report

CVE-2024-29995 is a critical vulnerability in OpenSSL at the TLS level, allowing for a Timing Oracle in RSA Decryption. This vulnerability has the potential to be exploited in the wild, posing a significant risk to systems using OpenSSL. Mitigations and patches are available, but downstream impacts to third-party vendors using OpenSSL may still exist. See article

Aug 19, 2024 at 6:28 PM
EPSS

EPSS Score was set to: 0.16% (Percentile: 53.1%)

Nov 19, 2024 at 3:50 PM
Static CVE Timeline Graph

Affected Systems

Microsoft/windows_10_1607
+null more

Patches

Microsoft
+null more

Attack Patterns

CAPEC-462: Cross-Domain Search Timing
+null more

References

Microsoft August 2024 Security Updates
Classification: Critical, Solution: Official Fix, Exploit Maturity: High, CVSSv3.1: 9.8, CVEs: CVE-2024-21302, CVE-2024-29995, CVE-2024-37968, CVE-2024-38063, CVE-2024-38084, CVE-2024-38098, CVE-2024-38106, CVE-2024-38107, CVE-2024-38108, CVE-2024-38109, CVE-2024-38114, CVE-2024-38115, CVE-2024-38116, CVE-2024-38117, CVE-2024-38118, CVE-2024-38120, CVE-2024-38121, CVE-2024-38122, CVE-2024-38123, CVE-2024-38125 (+82 other associated CVEs), Summary: https://www.bleepingcomputer.com/news/microsoft/microsoft-august-2024-patch-tuesday-fixes-9-zero-days-6-exploited/ Today is Microsoft's August 2024 Patch Tuesday, which includes security updates for 89 flaws, including six actively exploited and three publicly disclosed zero-days. Microsoft is still working on an update for a tenth publicly disclosed zero-day. This Patch Tuesday fixed eight critical vulnerabilities, which were a mixture of elevation of privileges, remote code execution, and information disclosure. The number of bugs in each vulnerability category is listed below:
Windows Kerberos Elevation of Privilege Vulnerability
What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.
The Marvin Attack
While cryptographic protocols and formats allow, and have defaulted to use of the PKCS#1 v1.5 padding, they either don't need it any more for interoperability (like TLS), or have been updated to support RSA-OAEP (S/MIME, JWT, etc.). Given that there are attacks that exploit high order bits being zero in other algorithms, like Minerva against ECDSA and Raccoon attack against FFDH (attack against ECDH works fundamentally the same way, it just requires higher precision of the timing side-channel), any cryptographic implementation that depends on general purpose integer arithmetic library will be similarly vulnerable.
See 1 more references

News

The Marvin Attack
While cryptographic protocols and formats allow, and have defaulted to use of the PKCS#1 v1.5 padding, they either don't need it any more for interoperability (like TLS), or have been updated to support RSA-OAEP (S/MIME, JWT, etc.). Given that there are attacks that exploit high order bits being zero in other algorithms, like Minerva against ECDSA and Raccoon attack against FFDH (attack against ECDH works fundamentally the same way, it just requires higher precision of the timing side-channel), any cryptographic implementation that depends on general purpose integer arithmetic library will be similarly vulnerable.
CNNVD | 关于微软多个安全漏洞的通报
近日,微软官方发布了多个安全漏洞的公告,其中微软产品本身漏洞84个,影响到微软产品的其他厂商漏洞5个。
Microsoft’s August Security Update on High-Risk Vulnerabilities in Multiple Products - Security Boulevard
On August 14, NSFOCUS CERT detected that Microsoft released a security update patch for August, which fixed 90 security issues involving widely used products such as Windows, Microsoft Office, Visual Studio and Azure, including high-risk vulnerabilities such as privilege escalation and remote code execution. Due to an error in the Windows Power Dependency Coordinator after release, local attackers authenticated by ordinary users can exploit this vulnerability by running special programs to obtain SYSTEM permissions of the target system.
CNNVD关于微软多个安全漏洞的通报
近日,微软官方发布了多个安全漏洞的公告,其中微软产品本身漏洞84个,影响到微软产品的其他厂商漏洞5个。
August Patch Tuesday goes big – Sophos News
(It should be noted that one issue patched in June, CVE-2024-38213, is under active attack in the wild – a good argument for applying patches as soon as possible after release.) Microsoft also took pains this month to flag three other CVEs for which fixes have already gone out, but that are included in Patch Tuesday information for transparency’s sake; we list those in Appendix D as well. However, with over two dozen advisories, a number of “informational” notices concerning material released in June and July, two high-profile issues for which the fixes are still a work in progress, and over 85 Linux-related CVEs covered in the release, administrators may find their patch prioritization especially complex this month.
See 28 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:High
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI