CVE-2024-38078

Use After Free (CWE-416)

Published: Jul 9, 2024

010
CVSS 7.5EPSS 0.05%High
CVE info copied to clipboard

Summary

Xbox Wireless Adapter Remote Code Execution Vulnerability. This is a Use After Free vulnerability with a high severity rating. It has an attack vector of Adjacent Network, requires no user interaction, and has high impacts on confidentiality, integrity, and availability.

Impact

This vulnerability could allow an attacker on an adjacent network to execute arbitrary code on the target system without any user interaction. The attack complexity is high, but if successful, it could lead to a complete compromise of the system's confidentiality, integrity, and availability. This means an attacker could potentially access sensitive information, modify system data, or disrupt system operations.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. Microsoft released an update to address this vulnerability on July 9, 2024.

Mitigation

1. Apply the security update provided by Microsoft as soon as possible. 2. Implement network segmentation to limit the exposure of systems with Xbox Wireless Adapters to potential adjacent network attacks. 3. Monitor for unusual network activity, particularly from adjacent networks. 4. Ensure all Windows systems, especially those running Windows 11 version 21H2, are included in the patching schedule. 5. If immediate patching is not possible, consider temporarily disabling or disconnecting Xbox Wireless Adapters in high-risk environments until the patch can be applied.

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Timeline

Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (92149)

Jul 9, 2024 at 7:53 AM
CVSS

A CVSS base score of 7.5 has been assigned.

Jul 9, 2024 at 5:05 PM / microsoft
CVE Assignment

NVD published the first details for CVE-2024-38078

Jul 9, 2024 at 5:15 PM
First Article

Feedly found the first article mentioning CVE-2024-38078. See article

Jul 9, 2024 at 5:17 PM / Vulners.com RSS Feed
Trending

This CVE started to trend in security discussions

Jul 9, 2024 at 6:59 PM
EPSS

EPSS Score was set to: 0.05% (Percentile: 21.9%)

Jul 10, 2024 at 10:14 AM
Trending

This CVE stopped trending in security discussions

Jul 12, 2024 at 8:06 PM
Static CVE Timeline Graph

Affected Systems

Microsoft/windows_11_21h2
+null more

Patches

Microsoft
+null more

News

Update Sun Sep 1 22:32:38 UTC 2024
Update Sun Sep 1 22:32:38 UTC 2024
Update Sat Aug 10 14:30:47 UTC 2024
Update Sat Aug 10 14:30:47 UTC 2024
Hyper-V zero-day stands out on a busy Patch Tuesday - Comkex.com
Zeroing in on the Hyper-V flaw, Mike Walters of patch management specialist Action1 said it posed “significant risk” to systems utilising Hyper-V – it appears relatively simple to exploit, with an attacker being able to gain admin rights with ease if they have obtained initial local access via, for example, a compromised user account within a virtual machine. Security teams will have a busy few days ahead of them after Microsoft patched close to 140 new common vulnerabilities and exposures (CVEs) in its July Patch Tuesday update, including four zero-day exploits – one of them a third-party update via processor giant ARM.
Patch Tuesday July 2024 - Four Zero Days
So, without further ado, here’s the chart of MS patches that affect Windows platforms in the past month. If you have SQL Server running in the environment please check the chart below since various flavors of SQL Server received patches this month.
Hyper-V zero-day stands out on a busy Patch Tuesday | Computer Weekly
Zeroing in on the Hyper-V flaw, Mike Walters of patch management specialist Action1 said it posed “significant risk” to systems utilising Hyper-V – it appears relatively simple to exploit, with an attacker being able to gain admin rights with ease if they have obtained initial local access via, for example, a compromised user account within a virtual machine. Security teams will have a busy few days ahead of them after Microsoft patched close to 140 new common vulnerabilities and exposures (CVEs) in its July Patch Tuesday update, including four zero-day exploits – one of them a third-party update via processor giant ARM.
See 5 more articles and social media posts

CVSS V3.1

Attack Vector:Adjacent_network
Attack Complexity:High
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI