CVE-2024-38059

Use After Free (CWE-416)

Published: Jul 9, 2024

010
CVSS 7.8EPSS 0.04%High
CVE info copied to clipboard

Summary

Win32k Elevation of Privilege Vulnerability. This is a local vulnerability with a low attack complexity that requires low privileges and no user interaction. It has high impacts on confidentiality, integrity, and availability. The vulnerability is classified as a Use After Free (CWE-416) issue. It affects multiple versions of Windows, including Windows Server 2022 (23H2 and standard), Windows 11 (23H2, 22H2, and 21H2), and Windows 10 (22H2 and 21H2).

Impact

This vulnerability allows an attacker with low privileges to elevate their privileges on a local system. The high impact on confidentiality, integrity, and availability suggests that an attacker could potentially gain significant control over the affected system, access sensitive information, modify critical data, and disrupt system operations. Affected versions include: - Windows Server 2022 (up to version 10.0.20348.2582) - Windows Server 2022 23H2 (up to version 10.0.25398.1009) - Windows 11 23H2 (up to version 10.0.22631.3880) - Windows 11 22H2 (up to version 10.0.22621.3880) - Windows 11 21H2 (up to version 10.0.22000.3079) - Windows 10 22H2 (up to version 10.0.19045.4651) - Windows 10 21H2 (up to version 10.0.19044.4651)

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. Microsoft released an official fix for this vulnerability on July 9, 2024. The security team should prioritize applying this patch to all affected systems, updating to the following versions or later: - Windows Server 2022: 10.0.20348.2582 - Windows Server 2022 23H2: 10.0.25398.1009 - Windows 11 23H2: 10.0.22631.3880 - Windows 11 22H2: 10.0.22621.3880 - Windows 11 21H2: 10.0.22000.3079 - Windows 10 22H2: 10.0.19045.4651 - Windows 10 21H2: 10.0.19044.4651

Mitigation

1. Apply the official patch released by Microsoft as soon as possible to all affected Windows versions. 2. Prioritize patching based on the criticality of the systems and their exposure to potential attackers. Systems with local access by less trusted users should be prioritized. 3. Limit user privileges on systems to minimize the potential impact of successful exploitation. 4. Implement the principle of least privilege across your network. 5. Monitor for suspicious activities that might indicate attempts to exploit this vulnerability, particularly any unexpected privilege escalations. 6. Ensure that only trusted users have local access to sensitive systems. 7. If immediate patching is not possible, consider additional access controls or monitoring for affected systems.

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Timeline

Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (92149)

Jul 9, 2024 at 7:53 AM
CVE Assignment

NVD published the first details for CVE-2024-38059

Jul 9, 2024 at 5:15 PM
First Article

Feedly found the first article mentioning CVE-2024-38059. See article

Jul 9, 2024 at 5:17 PM / FortiGuard Labs | Internet of Things Intrusion Prevention Service Updates
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Jul 9, 2024 at 6:53 PM
Threat Intelligence Report

CVE-2024-38059 is a critical EoP vulnerability in Windows Win32k with a CVSSv3 score of 7.8. It is rated as "Exploitation More Likely" by Microsoft, indicating a higher risk of exploitation in the wild. Mitigations, detections, and patches are available from Microsoft to address this vulnerability and prevent potential downstream impacts to other third-party vendors or technologies. See article

Jul 9, 2024 at 7:06 PM
EPSS

EPSS Score was set to: 0.04% (Percentile: 9.2%)

Jul 10, 2024 at 10:14 AM
Trending

This CVE started to trend in security discussions

Jul 12, 2024 at 9:32 AM
Trending

This CVE stopped trending in security discussions

Jul 12, 2024 at 10:08 AM
Static CVE Timeline Graph

Affected Systems

Microsoft/windows_11_22h2
+null more

Patches

Microsoft
+null more

References

Microsoft’s July 2024 Patch Tuesday Addresses 138 CVEs (CVE-2024-38080, CVE-2024-38112)
Microsoft addresses 138 CVEs in its July 2024 Patch Tuesday release, with five critical vulnerabilities and three zero-day vulnerabilities, two of which were exploited in the wild. Microsoft released 138 CVEs in July 2024 Patch Tuesday release, with five rated critical, 132 rated important and one rated moderate.

News

Microsoft Security Bulletin Coverage For August 2024
The SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of 2024 and has produced coverage for ten of the reported vulnerabilities Microsoft tracks vulnerabilities that are being actively exploited at the time of discovery and those that have been disclosed publicly before the patch Tuesday release for each month.
28.829
Newly Added (12) Cassia.IoT.Gateways.bypass.config.queueUrl.Command.Injection Linksys.E5600.API.info.Command.Injection Tenda.AC500.SetTimeZone.Stack.Overflow Tenda.AC500.setVlanInfo.Stack.Overflow Tenda.AC500.forSetVlanInfo.Stack.Overflow Raisecom.Multiple.ISCOM.Devices.WebMGR.Command.Injection D-Link.DIR-619.formTcpipSetup.Stack.Overflow Realtek.rtl819x.Jungle.SDK.boa.formWlEncrypt.Buffer.Overflow Realtek.rtl819x.Jungle.SDK.boa.formDnsv6.Buffer.Overflow Malicious.VBA.Downloader Realtek.rtl819x.Jungle.SDK.boa.formRoute.Buffer.Overflow Realtek.rtl819x.Jungle.SDK.boa.formFilter.Buffer.Overflow Modified (65) Adobe.Flash.Player.ByteArray.Workers.Threading.Double.Free WordPress.Core.Avatar.Block.Stored.XSS MS.Office.OpenXML.ActiveX.Directory.CFB.Information.Disclosure Adobe.Flash.Bytecode.Li8.Exception.Memory.Corruption Oracle.Java.Applet.ByteCode.Verifier.Remote.Code.Execution SAP.Solution.Manager.SMDAgent.Remote.Code.Execution MS.Office.EPS.File.Handling.Use.After.Free Antivirus.Software.Magic.Byte.Detection.Evasion.Security.Bypass Symantec.Antivirus.RAR.Decompression.Heap.Overflow HAURI.Antivirus.ACE.Archive.Handling.Buffer.Overflow Symantec.Norton.Antivirus.ActiveX.DoS Sophos.Antivirus.CAB.File.Invalid.Folder.Count.Heap.Overflow Sophos.Antivirus.Reserved.Device.Name.Handling.Security.Bypass Sophos.Antivirus.Library.Visio.Scanning.Heap.Overflow Sophos.Antivirus.Zip.File.Handling.DoS Symantec.Norton.Antivirus.Stack.Exhaustion.DoS Albasoftware.Phpauction.phpAds_path.Remote.File.Inclusion Sophos.Antivirus.CHM.File.Heap.Overflow Multiple.Vendors.PDF.Catalog.Handling.Memory.Corruption Norton.Antivirus.Decompression.Bomb.DoS CA.eTrust.Antivirus.Inoweb.Buffer.Overflow Symantec.Antivirus.Engine.RAR.File.Parsing.DoS Symantec.Antivirus.Engine.CAB.Parsing.Heap.Overflow Philex.header.inc.PHP.Remote.File.Inclusion Novell.NetMail.Antivirus.Agent.Buffer.Overflow Persits.XUpload.ActiveX.Buffer.Overflow Comodo.Antivirus.ActiveX.ExecuteStr.Remote.Code.Execution Multiple.Vendors.PDF.Data.Stream.Memory.Corruption Multiple.Vendors.PDF.JBIG2.Symbol.Dictionary.Buffer.Overflow Multiple.Vendors.PDF.Launch.Action.Remote.Code.Execution PC.SOFT.WINDEV.WDP.File.Parsing.Overflow Clam.Antivirus.PE.Rebuilding.Heap.Buffer.Overflow Tracker.Software.PDF-XChange.Pdfxctrl.DLL.Buffer.Overflow PHP.Register.Variable.Ex.Function.Code.Execution Multiple.Vendor.Antivirus.Extended.ASCII.Security.Bypass Photodex.ProShow.Producer.Load.File.Buffer.Overflow Multiple.Antivirus.Products.File.Evasion.Security.Bypass Sophos.Antivirus.PDF.Handling.Stack.Buffer.Overflow Sophos.Antivirus.CAB.File.typeCompress.Parsing.Buffer.Overflow Sophos.Antivirus.RAR.VMSF.DELTA.Filter.Memory.Corruption Persistent.Systems.Radia.Client.Automation.Command.Injection Netgate.pfSense.WebGUI.Zone.Parameter.XSS Netgate.pfSense.XMLRPC.Code.Injection Multiple.Vendors.Telnet.Default.Credentials.Security.Bypass Multiple.Vendors.udpServerSys.Service.Command.Injection Phoenix.Contact.TC.Router.Cloud.Client.Command.Injection PHP.User.Agent.Backdoor.Command.Injection TerraMaster.TOS.api.php.Information.Disclosure perfSONAR.graphData.Component.SSRF Multiple.Vendors.Command1.Field.Remote.Code.Execution PowerJob.job.save.processorInfo.Command.Injection Crestron.Devices.PARSERtoCHAR.Stack.Overflow SolarWinds.Platform.Orion.Login.Race.Condition TBK.DVR.SOSTREAMAX.Command.Injection Tinyproxy.HTTP.Connection.Headers.Use.After.Free Eveo.URVE.Web.Manager.upload.php.Arbitrary.File.Upload MS.Windows.Ms-Chx-Full.DoS Atlassian.Confluence.CVE-2024-21683.Remote.Code.Execution MS.Windows.Hyper-V.CVE-2024-38080.Privilege.Elevation MS.Windows.Kernel.CVE-2024-38052.Privilege.Elevation MS.Windows.Win32.Kernel.CVE-2024-38085.Privilege.Elevation MS.Windows.Kernel.CVE-2024-38054.Privilege.Elevation MS.Windows.Win32k.CVE-2024-38059.Privilege.Elevation Uniview.ISC.2500-S.VM.php.setNatConfig.Command.Injection Fortra.FileCatalyst.Workflow.pdf_servlet.SQL.Injection Removed (1) PDF.Document.Catalog.Handling.Remote.Memory.Corruption
Patch Tuesday July 2024: Two Active Exploitations and Exchange Data Breach Notifications
The two Actively Exploited zero-days— CVE-2024-38080 Windows Hyper-V Elevation of Privilege Vulnerability and CVE-2024-38112 Windows MSHTML Platform Spoofing Vulnerability—should be trivial to deal with as they can both be addressed by applying either CUs or Security Updates for affected systems. The other two zero-days that are not currently under exploitation are CVE-2024-35264 .NET and Visual Studio Remote Code Execution and CVE-2024-37985 which affects Windows 11 ARM based systems.
Microsoft’s Security Update in July of High-Risk Vulnerabilities in Multiple Products
On July 10, NSFOCUS CERT detected that Microsoft released a security update patch for July, which fixed 139 security issues involving Windows, Microsoft SQL Server, Microsoft Office, Azure and other widely used products, including high-risk vulnerabilities such as privilege escalation and remote code execution. Due to the heap-based buffer overflow in the Windows remote desktop authorization service, unauthenticated attackers can send special packets to the server set as the remote desktop authorization server, triggering the buffer overflow and executing arbitrary codes on the target system.
cveNotify : 🚨 CVE-2024-38059Win32k Elevation of Privilege Vulnerability🎖@cveNotify
cveNotify : 🚨 CVE-2024-38059Win32k Elevation of Privilege Vulnerability🎖@cveNotify
See 29 more articles and social media posts

CVSS V3.1

Attack Vector:Local
Attack Complexity:Low
Privileges Required:Low
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI