CVE-2024-38089

Improper Privilege Management (CWE-269)

Published: Jul 9, 2024

010
CVSS 9.9EPSS 0.05%Critical
CVE info copied to clipboard

Summary

Microsoft Defender for IoT Elevation of Privilege Vulnerability. This is a high-severity vulnerability with a CVSS base score of 9.9. It is a network-based attack vector with low attack complexity, requiring low privileges and no user interaction. The scope is changed, and it has high impact on confidentiality, integrity, and availability. This vulnerability affects Microsoft Defender for IoT versions prior to 24.1.4.

Impact

This vulnerability could allow an attacker with low privileges to elevate their privileges further in Microsoft Defender for IoT. The attack can be executed over the network without user interaction, potentially leading to a complete compromise of the targeted system's confidentiality, integrity, and availability. Given the changed scope, the impact could extend beyond the vulnerable component, affecting other parts of the system or network. This could result in unauthorized access to sensitive data, system manipulation, and potential disruption of IoT device management and security monitoring capabilities.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. Microsoft has released an official fix for this vulnerability on July 9, 2024. The patch updates Microsoft Defender for IoT to version 24.1.4 or later, which addresses the vulnerability.

Mitigation

1. Apply the official patch released by Microsoft as soon as possible, updating Microsoft Defender for IoT to version 24.1.4 or later. 2. Implement network segmentation to limit the potential attack surface. 3. Monitor and audit privileged account activities. 4. Implement the principle of least privilege across your IoT environment. 5. Keep all Microsoft Defender for IoT instances updated to the latest version. 6. Implement strong authentication mechanisms for privileged accounts. 7. Regularly review and update access controls for Microsoft Defender for IoT.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Timeline

CVSS

A CVSS base score of 9.1 has been assigned.

Jul 9, 2024 at 5:05 PM / microsoft
CVE Assignment

NVD published the first details for CVE-2024-38089

Jul 9, 2024 at 5:15 PM
First Article

Feedly found the first article mentioning CVE-2024-38089. See article

Jul 9, 2024 at 5:17 PM / Vulners.com RSS Feed
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Jul 9, 2024 at 5:34 PM
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Jul 9, 2024 at 6:53 PM
Trending

This CVE started to trend in security discussions

Jul 9, 2024 at 7:13 PM
EPSS

EPSS Score was set to: 0.05% (Percentile: 19.6%)

Jul 10, 2024 at 10:14 AM
CVSS

A CVSS base score of 9.9 has been assigned.

Jul 12, 2024 at 3:45 PM / nvd
Trending

This CVE stopped trending in security discussions

Jul 12, 2024 at 8:36 PM
Static CVE Timeline Graph

Affected Systems

Microsoft/defender_for_iot
+null more

Patches

Microsoft
+null more

Links to Mitre Att&cks

T1548: Abuse Elevation Control Mechanism
+null more

Attack Patterns

CAPEC-122: Privilege Abuse
+null more

News

Microsoft Security Bulletin Coverage For August 2024
The SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of 2024 and has produced coverage for ten of the reported vulnerabilities Microsoft tracks vulnerabilities that are being actively exploited at the time of discovery and those that have been disclosed publicly before the patch Tuesday release for each month.
@RISK: The Consensus Security Vulnerability Alert: Vol. 24, Num. 28 - SANS Institute
Product: Automattic Newspack Blocks CVSS Score: 9.9 NVD: NVD References: CVE-2024-39872 - SINEMA Remote Connect Server (All versions < V3.2 SP1) allows authenticated attackers with the 'Manage firmware updates' role to escalate privileges via improper assignment of rights to temporary files. Product: WordPress Gutenberg Forms plugin CVSS Score: 9.8 NVD: NVD References: - - - CVE-2024-6314 - The IQ Testimonials plugin for WordPress allows unauthenticated attackers to upload arbitrary files and potentially execute remote code due to insufficient file validation, in versions up to 2.2.7, only if the 'gd' PHP extension is not loaded.
Microsoft Neutralizes Two Active Zero-Day Threats in July's Security Update - Techweez
The security update includes 20 Elevation of Privilege (EoP) vulnerabilities, slightly outnumbering Remote Code Execution (RCE) flaws. The security update addresses two zero-day vulnerabilities that are currently being exploited in the wild:
cveNotify : 🚨 CVE-2024-38089Microsoft Defender for IoT Elevation of Privilege Vulnerability🎖@cveNotify
cveNotify : 🚨 CVE-2024-38089Microsoft Defender for IoT Elevation of Privilege Vulnerability🎖@cveNotify
[Cyware] Microsoft July 2024 Patch Tuesday fixes 142 flaws, 4 zero-days
Summary: This content highlights the latest vulnerabilities and their severity in various Microsoft products, including .NET and Visual Studio, Active Directory Rights Management Services, Azure CycleCloud, and Azure DevOps. Threat …
See 23 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:Low
User Interaction:None
Scope:Changed
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI