Exploit
CVE-2024-38112

Exposure of Resource to Wrong Sphere (CWE-668)

Published: Jul 9, 2024

010
CVSS 7.5EPSS 1.01%High
CVE info copied to clipboard

Summary

Windows MSHTML Platform Spoofing Vulnerability. This vulnerability has a CVSS v3.1 base score of 7.5, indicating a medium to high severity. It affects Windows systems and is related to the MSHTML Platform. The vulnerability is associated with CWE-668: Exposure of Resource to Wrong Sphere and CWE-451: User Interface (UI) Misrepresentation of Critical Information. It requires user interaction and has a high attack complexity, with the attack vector being network-based.

Impact

If exploited, this vulnerability could lead to high impacts on confidentiality, integrity, and availability of the affected systems. An attacker could potentially spoof content or manipulate resources, leading to unauthorized access to sensitive information, data manipulation, or disruption of system operations. The vulnerability is actively being exploited in the wild and was added to the CISA Known Exploited Vulnerability list.

Exploitation

There is no evidence that a public proof-of-concept exists. The vulnerability is actively being exploited in the wild and was added to the CISA Known Exploited Vulnerability list. Its exploitation has been reported by various sources, including anoopcnair.com. Malware such as Void (source:The Register), HTA (source:News Block), Atlantida (source:SOCRadar® Cyber Intelligence Inc.) are known to have weaponized this vulnerability. Threat Actor Void Banshee (source:Decipher) has been identified as exploiting this vulnerability.

Patch

A patch is available for this vulnerability. Microsoft released the patch on July 9, 2024. Security teams should prioritize applying this patch to affected Windows systems, including Windows 11 (versions 23H2, 22H2, 21H2), Windows 10 (versions 22H2, 21H2, 1809, 1607, 1507), Windows Server (versions 2022, 2019, 2016, 2012 R2, 2008 SP2), and Windows Server 2022 23H2. Each affected version has a specific version number up to which it is vulnerable.

Mitigation

While patching is the primary mitigation, security teams should also consider the following: 1. Prioritize patching based on the medium to high severity (CVSS score 7.5). 2. Implement network segmentation to limit potential attack vectors. 3. Educate users about the risks of interacting with untrusted content, as user interaction is required for exploitation. 4. Monitor systems for suspicious activities related to MSHTML Platform. 5. Apply the principle of least privilege to minimize the potential impact of successful exploitation. 6. Keep all Windows systems and MSHTML Platform components up to date with the latest security patches.

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Timeline

Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (92149)

Jul 9, 2024 at 7:53 AM
CVSS

A CVSS base score of 7.5 has been assigned.

Jul 9, 2024 at 5:05 PM / microsoft
First Article

Feedly found the first article mentioning CVE-2024-38112. See article

Jul 9, 2024 at 5:10 PM / #proofofconcept
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Jul 9, 2024 at 5:11 PM
CVE Assignment

NVD published the first details for CVE-2024-38112

Jul 9, 2024 at 5:15 PM
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Jul 9, 2024 at 5:25 PM
Exploitation in the Wild

Attacks in the wild have been reported by HTMD Community Blog #1 Modern Device Management Guides. See article

Threat Intelligence Report

CVE-2024-38112 is a spoofing vulnerability in Windows MSHTML with a CVSSv3 score of 7.5, rated as important. While there are no reports of it being exploited in the wild, an unauthenticated, remote attacker could potentially exploit it by convincing a target to open a malicious file. Microsoft has not provided any proof-of-concept exploits, but recommends applying available patches to mitigate the risk of exploitation. See article

Jul 9, 2024 at 7:06 PM
Trending

This CVE started to trend in security discussions

Jul 9, 2024 at 8:00 PM
Static CVE Timeline Graph

Affected Systems

Microsoft/windows_11_22h2
+null more

Proof Of Exploit

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2024-38112
+null more

Patches

Microsoft
+null more

Links to Malware Families

Atlantida
+null more

Links to Threat Actors

Void Banshee
+null more

Vendor Advisory

CVE-2024-38112 - Security Update Guide - Microsoft - Windows MSHTML Platform Spoofing Vulnerability
There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed). Alternatively, the attacker has the ability to deny some availability, but the loss of availability presents a direct, serious consequence to the impacted component (e.g., the attacker cannot disrupt existing connections, but can prevent new connections; the attacker can repeatedly exploit a vulnerability that, in each instance of a successful attack, leaks a only small amount of memory, but after repeated exploitation causes a service to become completely unavailable).

References

Windows MSHTML Platform Spoofing Vulnerability
The Security Updates table indicates that this vulnerability affects all supported versions of Microsoft Windows. Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
Windows MSHTML Platform Spoofing Vulnerability
According to the CVSS metric, user interaction is required (UI:R). According to the CVSS metric, the attack complexity is high (AC:H).
CVE-2024-38112 - Security Update Guide - Microsoft - Windows MSHTML Platform Spoofing Vulnerability
There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed). Alternatively, the attacker has the ability to deny some availability, but the loss of availability presents a direct, serious consequence to the impacted component (e.g., the attacker cannot disrupt existing connections, but can prevent new connections; the attacker can repeatedly exploit a vulnerability that, in each instance of a successful attack, leaks a only small amount of memory, but after repeated exploitation causes a service to become completely unavailable).
See 39 more references

News

Managed Vulnerability Scanning: Key Findings and the Importance of Regular Patching
An attacker exploiting this flaw could gain elevated permissions on the system, potentially allowing them to execute malicious code or access sensitive information. By exploiting this vulnerability, the attacker could gain unauthorized access to sensitive information or disrupt legitimate remote desktop sessions.
Managed Vulnerability Scanning: Key Findings and the Importance of Regular Patching
An attacker exploiting this flaw could gain elevated permissions on the system, potentially allowing them to execute malicious code or access sensitive information. By exploiting this vulnerability, the attacker could gain unauthorized access to sensitive information or disrupt legitimate remote desktop sessions.
Managed Vulnerability Scanning: Key Findings and the Importance of Regular Patching
An attacker exploiting this flaw could gain elevated permissions on the system, potentially allowing them to execute malicious code or access sensitive information. By exploiting this vulnerability, the attacker could gain unauthorized access to sensitive information or disrupt legitimate remote desktop sessions.
Security Affairs newsletter Round 498 by Pierluigi Paganini – INTERNATIONAL EDITION
SECURITY AFFAIRS MALWARE NEWSLETTE
Security Affairs newsletter Round 498 by Pierluigi Paganini – INTERNATIONAL EDITION
SECURITY AFFAIRS MALWARE NEWSLETTE
See 697 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:High
Privileges Required:None
User Interaction:Required
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI