Exploit
CVE-2024-38193

Use After Free (CWE-416)

Published: Aug 13, 2024

010
CVSS 7.8EPSS 0.14%High
CVE info copied to clipboard

Summary

Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability. This is a local vulnerability with a low attack complexity and requires low privileges to exploit. It does not require user interaction. The vulnerability is associated with CWE-416 (Use After Free).

Impact

This vulnerability has a high impact on confidentiality, integrity, and availability. Successful exploitation could allow an attacker to elevate their privileges on the affected system, potentially gaining full control over the compromised Windows machine. This could lead to unauthorized access to sensitive data, modification of system files, and disruption of services.

Exploitation

There is no evidence that a public proof-of-concept exists. The vulnerability is actively being exploited in the wild and was added to the CISA Known Exploited Vulnerability list. Its exploitation has been reported by various sources, including cisa.gov. Malware such as FudModule (source:Candid.Technology) are known to have weaponized this vulnerability. Threat Actor Lazarus Group (source:Cyber Security News) has been identified as exploiting this vulnerability.

Patch

A patch is available. Microsoft has released an official fix for this vulnerability on August 13, 2024.

Mitigation

1. Apply the official patch released by Microsoft as soon as possible. 2. Implement the principle of least privilege, ensuring users and applications only have the minimum necessary permissions. 3. Monitor for suspicious activities, especially attempts to escalate privileges. 4. Keep all Windows systems and software up to date with the latest security patches. 5. Use endpoint detection and response (EDR) tools to detect and prevent exploitation attempts. 6. Implement network segmentation to limit the potential spread if a system is compromised.

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C

Timeline

Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (92160)

Aug 13, 2024 at 7:53 AM
First Article

Feedly found the first article mentioning CVE-2024-38193. See article

Aug 13, 2024 at 5:37 PM / #vulnerability
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Aug 13, 2024 at 5:39 PM
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Aug 13, 2024 at 6:10 PM
CVE Assignment

NVD published the first details for CVE-2024-38193

Aug 13, 2024 at 6:15 PM
Exploitation in the Wild

Attacks in the wild have been reported by CISA Known Exploited Vulnerability.

Aug 13, 2024 at 6:30 PM / CISA Known Exploited Vulnerability
Exploitation in the Wild

Attacks in the wild have been reported by CISA - Known exploited vulnerabilities catalog. See article

Threat Intelligence Report

CVE-2024-38193 is a critical EoP vulnerability in the Windows Ancillary Function Driver for Winsock, with a CVSSv3 score of 7.8. This vulnerability has been exploited in the wild as a zero-day, with proof-of-concept exploits available. Mitigations, detections, and patches are recommended to prevent potential impacts on other third-party vendors or technologies. See article

Aug 13, 2024 at 7:15 PM
Attribution of Exploits

The vulnerability is known to be exploited by Lazarus Group. See article

Aug 17, 2024 at 1:38 AM / Cyber Security News
Static CVE Timeline Graph

Affected Systems

Microsoft/windows_11_21h2
+null more

Proof Of Exploit

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2024-38193
+null more

Patches

Microsoft
+null more

Links to Malware Families

FudModule
+null more

Links to Threat Actors

Lazarus Group
+null more

Vendor Advisory

CVE-2024-38193 - Security Update Guide - Microsoft - Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed). Alternatively, the attacker has the ability to deny some availability, but the loss of availability presents a direct, serious consequence to the impacted component (e.g., the attacker cannot disrupt existing connections, but can prevent new connections; the attacker can repeatedly exploit a vulnerability that, in each instance of a successful attack, leaks a only small amount of memory, but after repeated exploitation causes a service to become completely unavailable).

References

Understanding Window Server Updates and Cumulative Updates
Our company recently underwent a third-party security risk assessment which found a CVE-2024-38193 vulnerability for one of our WS2019 Std. servers (current OS build: 17763.6414). However, that update does not appear when I view the update history in Windows Update on the server.
North Korean threat actor Citrine Sleet exploiting Chromium zero-day
In this blog, we share details on the North Korean threat actor Citrine Sleet and the observed tactics, techniques, and procedures (TTPs) used to exploit CVE-2024-7971, deploy the FudModule rootkit, and compromise systems. On August 19, 2024, Microsoft identified a North Korean threat actor exploiting a zero-day vulnerability in Chromium, now identified as CVE-2024-7971, to gain remote code execution (RCE).
CVE-2024-38193 - Security Update Guide - Microsoft - Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed). Alternatively, the attacker has the ability to deny some availability, but the loss of availability presents a direct, serious consequence to the impacted component (e.g., the attacker cannot disrupt existing connections, but can prevent new connections; the attacker can repeatedly exploit a vulnerability that, in each instance of a successful attack, leaks a only small amount of memory, but after repeated exploitation causes a service to become completely unavailable).
See 18 more references

News

Exploit for Use After Free in Microsoft exploit
Security Affairs newsletter Round 498 by Pierluigi Paganini – INTERNATIONAL EDITION
SECURITY AFFAIRS MALWARE NEWSLETTE
Security Affairs newsletter Round 498 by Pierluigi Paganini – INTERNATIONAL EDITION
SECURITY AFFAIRS MALWARE NEWSLETTE
U.S. CISA adds Palo Alto Networks Expedition bugs to its Known Exploited Vulnerabilities catalog
Microsoft Patch Tuesday security updates for November 2024 fix two actively exploited zero-days. . Ahold Delhaize experienced a cyber incident ...
SECURITY AFFAIRS MALWARE NEWSLETTER – ROUND 19
SECURITY AFFAIRS MALWARE NEWSLETTE
See 387 more articles and social media posts

CVSS V3.1

Attack Vector:Local
Attack Complexity:Low
Privileges Required:Low
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI