CVE-2024-38067
Uncontrolled Resource Consumption (CWE-400)
Summary
A vulnerability in the Windows Online Certificate Status Protocol (OCSP) Server could allow an attacker to cause a Denial of Service condition. This vulnerability affects various versions of Windows Server, including 2008, 2012, 2016, 2019, 2022, and 2022 23H2. The vulnerability has a CVSS v3.1 base score of 7.5, which is considered "High" severity. The attack vector is network-based, requires low attack complexity, and does not need user interaction or privileges to exploit.
Impact
If successfully exploited, this vulnerability could lead to a high impact on the availability of the affected systems. An attacker could potentially disrupt the OCSP server's functionality, causing it to become unresponsive or crash. This could significantly impact certificate validation processes, potentially affecting secure communications and authentication mechanisms that rely on OCSP for real-time certificate status checking. However, there is no impact on the confidentiality or integrity of the system, as indicated by the CVSS metrics.
Exploitation
There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.
Patch
A patch is available for this vulnerability. Microsoft has released updates to address the issue. The patch was added on July 9, 2024, and is available through the Microsoft Update Guide. Specific version numbers for the patches are: Windows Server 2022 up to version 10.0.20348.2582, Windows Server 2016 up to version 10.0.14393.7159, Windows Server 2019 up to version 10.0.17763.6054, and Windows Server 2022 23H2 up to version 10.0.25398.1009.
Mitigation
To mitigate this vulnerability, it is strongly recommended to apply the security updates provided by Microsoft as soon as possible. Prioritize patching for Windows Server systems, especially those running OCSP services or exposed to untrusted networks. Additionally, consider implementing network segmentation and access controls to limit exposure of OCSP servers to potential attackers. Monitor OCSP server performance and set up alerts for unusual resource consumption or service disruptions. As a temporary measure, if immediate patching is not possible, consider implementing rate limiting or other traffic management techniques to protect OCSP servers from potential denial of service attacks.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Timeline
Detection for the vulnerability has been added to Qualys (92149)
A CVSS base score of 7.5 has been assigned.
NVD published the first details for CVE-2024-38067
Feedly found the first article mentioning CVE-2024-38067. See article
Feedly estimated the CVSS score as MEDIUM
EPSS Score was set to: 0.05% (Percentile: 17.2%)
This CVE started to trend in security discussions
This CVE stopped trending in security discussions