CVE-2024-38068

Uncontrolled Resource Consumption (CWE-400)

Published: Jul 9, 2024

010
CVSS 7.5EPSS 0.05%High
CVE info copied to clipboard

Summary

Windows Online Certificate Status Protocol (OCSP) Server is vulnerable to a Denial of Service attack. This vulnerability affects multiple versions of Windows, including Windows 10, Windows 11, and various Windows Server versions. The vulnerability is related to Uncontrolled Resource Consumption (CWE-400).

Impact

An attacker could exploit this vulnerability to cause a Denial of Service condition on the affected Windows OCSP Server. This could potentially disrupt the availability of certificate validation services, impacting the overall security infrastructure. The attack vector is network-based, requires no user interaction, and can be executed with low attack complexity. The vulnerability has a high impact on system availability but does not affect confidentiality or integrity.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. Microsoft has released updates to address this vulnerability. The patch was added on July 9, 2024, and is available through the Microsoft Update Guide.

Mitigation

1. Apply the security updates provided by Microsoft as soon as possible. 2. Prioritize patching for systems running OCSP Server roles, especially those exposed to untrusted networks. 3. Monitor OCSP Server resource consumption and implement resource quotas if possible. 4. Consider implementing network segmentation to limit exposure of OCSP Servers to potential attackers. 5. Regularly update and patch all affected Windows systems, including Windows 10 (versions 1507, 1607, 1809, 21H2, 22H2), Windows 11 (versions 21H2, 22H2, 23H2), Windows Server 2008, 2012, 2016, 2019, 2022, and 2022 23H2.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Timeline

Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (92149)

Jul 9, 2024 at 7:53 AM
CVSS

A CVSS base score of 7.5 has been assigned.

Jul 9, 2024 at 5:05 PM / microsoft
CVE Assignment

NVD published the first details for CVE-2024-38068

Jul 9, 2024 at 5:15 PM
First Article

Feedly found the first article mentioning CVE-2024-38068. See article

Jul 9, 2024 at 5:17 PM / Vulners.com RSS Feed
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Jul 9, 2024 at 5:25 PM
EPSS

EPSS Score was set to: 0.05% (Percentile: 17.2%)

Jul 10, 2024 at 10:14 AM
Trending

This CVE started to trend in security discussions

Jul 11, 2024 at 5:25 PM
Trending

This CVE stopped trending in security discussions

Jul 12, 2024 at 6:08 PM
Static CVE Timeline Graph

Affected Systems

Microsoft/windows_server_2022
+null more

Patches

Microsoft
+null more

Attack Patterns

CAPEC-147: XML Ping of the Death
+null more

News

Xerox Security Bulletin XRX24- 013 for Xerox® FreeFlow® Print Server v2 / Windows® 10
The methods of Security Patch Update delivery and install are over the network using FreeFlow® Print Server Update Manager or directly from Microsoft® using Windows® Update service, and using media (i.e., USB). The FreeFlow® Print Server engineering team receives new patch updates in January, April, July, and October, and will test them for supported Printer products (such as iGen®5 printers) prior to delivery for customer install.
Windows Online Certificate Status Protocol (OCSP) Server Denial of Service Vu...
Windows Online Certificate Status Protocol (OCSP) Server Denial of Service Vulnerability
cveNotify : 🚨 CVE-2024-38068Windows Online Certificate Status Protocol (OCSP) Server Denial of Service Vulnerability🎖@cveNotify
cveNotify : 🚨 CVE-2024-38068Windows Online Certificate Status Protocol (OCSP) Server Denial of Service Vulnerability🎖@cveNotify
[Cyware] Microsoft July 2024 Patch Tuesday fixes 142 flaws, 4 zero-days
Summary: This content highlights the latest vulnerabilities and their severity in various Microsoft products, including .NET and Visual Studio, Active Directory Rights Management Services, Azure CycleCloud, and Azure DevOps. Threat …
Microsoft Enhances Windows 11 24H2 Copilot+ PCs in July Patch Tuesday
Windows Graphics Component Remote Code Execution Vulnerability Windows Network Driver Interface Specification (NDIS) Denial of Service Vulnerability
See 18 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:None
Integrity:None
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI