FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial
FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial

CVE-2024-38086

Numeric Truncation Error (CWE-197)

Published: Jul 9, 2024

010
CVSS 6.4EPSS 0.05%Medium
CVE info copied to clipboard

Summary

Azure Kinect SDK Remote Code Execution Vulnerability. This is a high-severity vulnerability affecting the Azure Kinect SDK. It has a CVSS v3.1 base score of 6.4, indicating a high level of risk. The vulnerability is related to a Numeric Truncation Error (CWE-197). The affected product is Microsoft Azure Kinect Software Development Kit, versions prior to 1.4.2.

Impact

If exploited, this vulnerability could lead to remote code execution, potentially allowing an attacker to execute arbitrary code on the affected system. The vulnerability has high impacts on confidentiality, integrity, and availability. This means an attacker could potentially access sensitive information, modify data, or disrupt system operations. The attack vector is physical, requiring physical access to the system, and the attack complexity is high. No user interaction is required for exploitation, and no privileges are needed to execute the attack.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. Microsoft released a security update on July 9, 2024, to address this vulnerability. The patch updates the Azure Kinect SDK to version 1.4.2 or later.

Mitigation

1. Apply the security update provided by Microsoft as soon as possible, upgrading to Azure Kinect SDK version 1.4.2 or later. 2. Limit physical access to systems using the Azure Kinect SDK, as the attack vector is physical. 3. Monitor for any unusual activities or unauthorized access attempts on systems using the Azure Kinect SDK. 4. Ensure that the principle of least privilege is applied to all systems and users interacting with the Azure Kinect SDK. 5. Consider implementing additional security measures such as network segmentation to isolate systems running the vulnerable software.

CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Timeline

CVSS

A CVSS base score of 6.4 has been assigned.

Jul 9, 2024 at 5:05 PM / microsoft
CVE Assignment

NVD published the first details for CVE-2024-38086

Jul 9, 2024 at 5:15 PM
First Article

Feedly found the first article mentioning CVE-2024-38086. See article

Jul 9, 2024 at 5:24 PM / National Vulnerability Database
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Jul 9, 2024 at 5:36 PM
Trending

This CVE started to trend in security discussions

Jul 9, 2024 at 7:13 PM
EPSS

EPSS Score was set to: 0.05% (Percentile: 21.9%)

Jul 10, 2024 at 10:14 AM
Trending

This CVE stopped trending in security discussions

Jul 12, 2024 at 6:08 PM
Static CVE Timeline Graph

Affected Systems

Microsoft/azure_kinect_software_development_kit
+null more

Patches

Microsoft
+null more

News

cveNotify : 🚨 CVE-2024-38086Azure Kinect SDK Remote Code Execution Vulnerability🎖@cveNotify
CTI Feeds - Cybercrime on Telegram / 4mo
cveNotify : 🚨 CVE-2024-38086Azure Kinect SDK Remote Code Execution Vulnerability🎖@cveNotify
Microsoft’s Security Update in July of High-Risk Vulnerabilities in Multiple Products
Security Boulevard / 4mo
On July 10, NSFOCUS CERT detected that Microsoft released a security update patch for July, which fixed 139 security issues involving Windows, Microsoft SQL Server, Microsoft Office, Azure and other widely used products, including high-risk vulnerabilities such as privilege escalation and remote code execution. Due to the heap-based buffer overflow in the Windows remote desktop authorization service, unauthenticated attackers can send special packets to the server set as the remote desktop authorization server, triggering the buffer overflow and executing arbitrary codes on the target system.
[Cyware] Microsoft July 2024 Patch Tuesday fixes 142 flaws, 4 zero-days
Cyber Security News Aggregator / 4mo
Summary: This content highlights the latest vulnerabilities and their severity in various Microsoft products, including .NET and Visual Studio, Active Directory Rights Management Services, Azure CycleCloud, and Azure DevOps. Threat …
Microsoft Enhances Windows 11 24H2 Copilot+ PCs in July Patch Tuesday
WinBuzzer / 4mo
Windows Graphics Component Remote Code Execution Vulnerability Windows Network Driver Interface Specification (NDIS) Denial of Service Vulnerability
Microsoft July 2024 Patch Tuesday Fixes 142 Flaws, 4 Zero-Days
Cyware News - Latest Cyber News / 4mo
As part of Microsoft's July 2024 Patch Tuesday, 142 flaws were addressed, including two zero-days actively exploited and two publicly disclosed. Five critical vulnerabilities were fixed, all related to remote code execution.
See 19 more articles and social media posts

CVSS V3.1

Attack Vector:Physical
Attack Complexity:High
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

CVSS 6.4(29816)CWE-197(32)Microsoft(12100)

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI

Feedly Threat Intelligence30-day free trial