CVE-2024-38061

Improper Access Control (CWE-284)

Published: Jul 9, 2024

010
CVSS 7.5EPSS 0.05%High
CVE info copied to clipboard

Summary

A DCOM Remote Cross-Session Activation Elevation of Privilege Vulnerability has been identified in various versions of Microsoft Windows. This vulnerability is associated with improper access control (CWE-284) and allows an attacker with low privileges to potentially elevate their privileges on the affected system. The vulnerability affects multiple versions of Windows, including Windows 10 (versions 1507, 1607, 1809, 21H2, 22H2), Windows 11 (versions 21H2, 22H2, 23H2), Windows Server 2008, 2012, 2016, 2019, 2022, and Windows Server 2022 23H2.

Impact

If exploited, this vulnerability could allow an attacker to gain higher privileges on the affected system. The potential impacts are severe, as indicated by the CVSS v3.1 score of 7.5 (High): 1. Confidentiality Impact: High - There is a total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. 2. Integrity Impact: High - There is a total loss of integrity or a complete loss of protection, resulting in the attacker being able to modify any/all files protected by the impacted component. 3. Availability Impact: High - There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component. The attack vector is Network-based, requiring no user interaction, which increases the potential for remote exploitation. However, the attack complexity is rated as High, which may limit the ease of exploitation. There is currently no evidence of public proof-of-concept or active exploitation.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available for this vulnerability. Microsoft released updates to address this issue on July 9, 2024. Security teams should prioritize applying these patches to affected systems.

Mitigation

1. Apply the security updates provided by Microsoft as soon as possible, prioritizing based on the criticality of affected systems. 2. Implement the principle of least privilege across your network to minimize the potential impact of privilege escalation vulnerabilities. 3. Monitor for unusual DCOM activity or unexpected privilege escalations in your Windows environments. 4. Ensure that only necessary ports and services are exposed, especially those related to DCOM. 5. Implement network segmentation to limit the potential spread if an attacker successfully exploits this vulnerability. 6. Keep all Windows systems and software up to date with the latest security patches. 7. Use endpoint detection and response (EDR) tools to monitor for and detect potential exploitation attempts.

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Timeline

Threat Intelligence Report

CVE-2024-38061 is a critical DCOM permissions bug that was fixed by Microsoft in July 2024 Patch Tuesday. The vulnerability was deemed of IMPORTANT severity and could potentially be exploited in the wild. While there are no proof-of-concept exploits currently available, users are advised to apply the patch to mitigate any potential risks. See article

Apr 24, 2024 at 3:27 PM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (92149)

Jul 9, 2024 at 7:53 AM
CVSS

A CVSS base score of 7.5 has been assigned.

Jul 9, 2024 at 5:05 PM / microsoft
CVE Assignment

NVD published the first details for CVE-2024-38061

Jul 9, 2024 at 5:15 PM
First Article

Feedly found the first article mentioning CVE-2024-38061. See article

Jul 9, 2024 at 5:24 PM / National Vulnerability Database
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Jul 9, 2024 at 5:25 PM
EPSS

EPSS Score was set to: 0.05% (Percentile: 19.6%)

Jul 10, 2024 at 10:14 AM
Trending

This CVE started to trend in security discussions

Jul 12, 2024 at 9:32 AM
Trending

This CVE stopped trending in security discussions

Jul 12, 2024 at 10:08 AM
Static CVE Timeline Graph

Affected Systems

Microsoft/windows_server_2022_23h2
+null more

Patches

Microsoft
+null more

Links to Mitre Att&cks

T1546.004:
+null more

Attack Patterns

CAPEC-19: Embedding Scripts within Scripts
+null more

References

DCOM Remote Cross-Session Activation Elevation of Privilege Vulnerability
What privileges could be gained by an attacker who successfully exploited the vulnerability? An attacker who successfully exploited this vulnerability could gain domain administrator privileges.

News

Hack: A set of programs for analyzing common vulnerabilities in COM.
` PermissionHunter - hunt for incorrect LaunchPermission and ActivatePermission CICADA8 Research Team From Michael Zhmaylo (MzHmO) PermissionHunter.exe Small tool that allows you to find vulnerable COM objects with incorrect LaunchPermission and ActivatePermission [OPTIONS] -outfile : output filename -outformat : output format. Incorrect access control to a COM object (LaunchPermission, AccessPermission) - LPE through abusable COM methods, DCOM Authentication relaying.
COMThanasia: analyzing common vulnerabilities in COM
Incorrect access control to a COM object (LaunchPermission, AccessPermission) – LPE through abusable COM methods, DCOM Authentication relaying. If you find a COM object that you can access on behalf of a low-privileged user, for example, you can abuse it as follows:
Three-Headed Potato Dog
He discovered DCOM interfaces on AD CS servers which allow him to receive authenticated connections that can be relayed: In his blogpost, he explained that it’s not only possible to coerce NTLM connections, but also Kerberos authenticated connections, because the SPN can be controlled by the attacker.
Three-Headed Potato Dog
He discovered DCOM interfaces on AD CS servers which allow him to receive authenticated connections that can be relayed: In his blogpost, he explained that it’s not only possible to coerce NTLM connections, but also Kerberos authenticated connections, because the SPN can be controlled by the attacker.
Three-Headed Potato Dog
He discovered DCOM interfaces on AD CS servers which allow him to receive authenticated connections that can be relayed: In February, Andrea Pierini posted a technique resembling his previous potato exploits but triggering the authentication from a remote server instead of the local machine.
See 35 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:High
Privileges Required:Low
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI