Microsoft Technical Security Notifications</a> and <a href=https://feedly.com/cve/"https://msrc-blog.microsoft.com/2022/08/09/security-update-guide-notification-system-news-create-your-profile-now/">Security Update Guide Notification System News: Create your profile now – Microsoft Security Response Center</a>.</p> <p>Microsoft is not aware of any attempts to exploit this vulnerability. However, a public presentation regarding this vulnerability was hosted at BlackHat on August 7, 2024. The presentation was appropriately coordinated with Microsoft but may change the threat landscape. Customers concerned with these risks should reference the guidance provided in the <strong>Recommended Actions</strong> section to protect their systems.</p> <h2 id="recommended-actions">Recommended Actions</h2> <p>The following recommendations do not mitigate the vulnerability but can be used to reduce the risk of exploitation until the security update is available.</p> <ul> <li><p>Audit users with permission to perform Backup and Restore operations to ensure only the appropriate users can perform these operations.</p> <ul> <li><a href=https://feedly.com/cve/"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege">Audit: Audit the use of Backup and Restore privilege (Windows 10) - Windows 10 | Microsoft Learn</a></li> </ul> </li> <li><p>Implement an Access Control List or Discretionary Access Control Lists to restrict the access or modification of Backup files and perform Restore operations to appropriate users, for example administrators only.</p> <ul> <li><a href=https://feedly.com/cve/"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-sensitive-privilege-use">Access Control overview | Microsoft Learn</a></li> <li><a href=https://feedly.com/cve/"https://learn.microsoft.com/en-us/windows/win32/secbp/creating-a-dacl">Discretionary Access Control Lists (DACL)</a></li> </ul> </li> <li><p>Auditing sensitive privileges used to identify access, modification, or replacement of Backup related files could help indicate attempts to exploit this vulnerability.</p> <ul> <li><a href=https://feedly.com/cve/"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-sensitive-privilege-use">Audit Sensitive Privilege Use - Windows 10 | Microsoft Learn</a></li> </ul> </li> </ul> CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C"/>Microsoft Technical Security Notifications</a> and <a href=https://feedly.com/cve/"https://msrc-blog.microsoft.com/2022/08/09/security-update-guide-notification-system-news-create-your-profile-now/">Security Update Guide Notification System News: Create your profile now – Microsoft Security Response Center</a>.</p> <p>Microsoft is not aware of any attempts to exploit this vulnerability. However, a public presentation regarding this vulnerability was hosted at BlackHat on August 7, 2024. The presentation was appropriately coordinated with Microsoft but may change the threat landscape. Customers concerned with these risks should reference the guidance provided in the <strong>Recommended Actions</strong> section to protect their systems.</p> <h2 id="recommended-actions">Recommended Actions</h2> <p>The following recommendations do not mitigate the vulnerability but can be used to reduce the risk of exploitation until the security update is available.</p> <ul> <li><p>Audit users with permission to perform Backup and Restore operations to ensure only the appropriate users can perform these operations.</p> <ul> <li><a href=https://feedly.com/cve/"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege">Audit: Audit the use of Backup and Restore privilege (Windows 10) - Windows 10 | Microsoft Learn</a></li> </ul> </li> <li><p>Implement an Access Control List or Discretionary Access Control Lists to restrict the access or modification of Backup files and perform Restore operations to appropriate users, for example administrators only.</p> <ul> <li><a href=https://feedly.com/cve/"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-sensitive-privilege-use">Access Control overview | Microsoft Learn</a></li> <li><a href=https://feedly.com/cve/"https://learn.microsoft.com/en-us/windows/win32/secbp/creating-a-dacl">Discretionary Access Control Lists (DACL)</a></li> </ul> </li> <li><p>Auditing sensitive privileges used to identify access, modification, or replacement of Backup related files could help indicate attempts to exploit this vulnerability.</p> <ul> <li><a href=https://feedly.com/cve/"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-sensitive-privilege-use">Audit Sensitive Privilege Use - Windows 10 | Microsoft Learn</a></li> </ul> </li> </ul> CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C"/>
FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial
FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial

CVE-2024-38202

Improper Access Control (CWE-284)

Published: Aug 7, 2024

010
CVSS 7.3EPSS 0.04%High
CVE info copied to clipboard

Summary

An elevation of privilege vulnerability exists in Windows Backup, potentially enabling an attacker with basic user privileges to reintroduce previously mitigated vulnerabilities or circumvent some features of Virtualization Based Security (VBS). For exploitation to succeed, an attacker must trick or convince an Administrator or a user with delegated permissions into performing a system restore which inadvertently triggers the vulnerability.

Impact

If successfully exploited, this vulnerability could allow an attacker with basic user privileges to elevate their privileges, potentially reintroducing previously mitigated vulnerabilities or circumventing some features of Virtualization Based Security (VBS). This could lead to compromised system integrity and potentially impact the confidentiality and availability of the affected system. The CVSS v3.1 base score for this vulnerability is 7.3 (High), with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H, indicating high impacts on confidentiality, integrity, and availability.

Exploitation

There is no evidence that a public proof-of-concept exists. Its exploitation has been reported by various sources, including helpnetsecurity.com.

Patch

A patch is currently not available. Microsoft is developing a security update to mitigate this vulnerability, but it has not yet been released. The CVE will be updated with new information and links to the security updates once available.

Mitigation

While no official patch is available, Microsoft recommends the following actions to reduce the risk of exploitation: 1. Audit users with permission to perform Backup and Restore operations. 2. Implement Access Control Lists or Discretionary Access Control Lists to restrict access or modification of Backup files and perform Restore operations to appropriate users (e.g., administrators only). 3. Audit sensitive privileges used to identify access, modification, or replacement of Backup-related files to help detect potential exploitation attempts. Additionally, customers are encouraged to subscribe to Security Update Guide notifications to be alerted when the official patch becomes available.

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C

Timeline

First Article

Feedly found the first article mentioning CVE-2024-38202. See article

Aug 7, 2024 at 6:48 PM / Microsoft Security Advisories - MSRC
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Aug 7, 2024 at 6:48 PM
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Aug 7, 2024 at 7:39 PM
Threat Intelligence Report

CVE-2024-38202 is a critical vulnerability with a CVSS score of 9.8 that affects Microsoft products. If exploited in the wild, threat actors could gain unauthorized access to sensitive information. While there are no proof-of-concept exploits currently available, Microsoft has released patches to mitigate the vulnerability and prevent potential downstream impacts on third-party vendors. See article

Aug 7, 2024 at 9:45 PM
CVE Assignment

NVD published the first details for CVE-2024-38202

Aug 8, 2024 at 2:15 AM
Exploitation in the Wild

Attacks in the wild have been reported by Help Net Security. See article

Aug 8, 2024 at 9:54 AM / Help Net Security
Trending

This CVE started to trend in security discussions

Aug 12, 2024 at 7:37 AM
Trending

This CVE stopped trending in security discussions

Aug 12, 2024 at 4:40 PM
EPSS

EPSS Score was set to: 0.05% (Percentile: 18.9%)

Nov 19, 2024 at 4:47 PM
Static CVE Timeline Graph

Affected Systems

Microsoft/windows_10_1607
+null more

Patches

Microsoft
+null more

Links to Mitre Att&cks

T1546.004:
+null more

Attack Patterns

CAPEC-19: Embedding Scripts within Scripts
+null more

References

ADV24216903 - Security Update Guide - Microsoft - Windows Elevation of Privilege Vulnerability Chain Mitigation Guidance
Microsoft Security Response Center / 22d
Microsoft recently published CVE-2024-21302 and CVE-2024-38202, providing customers with the necessary guidance to safeguard vulnerable Windows systems and to reduce the risk of these vulnerabilities being exploited. We are publishing this MSRC advisory to explain the risks posed by chaining these vulnerabilities and raise awareness of the mitigation guidance available to customers due to the potential for the threat landscape to change.
Microsoft August 2024 Security Updates
NCSC-FI vulnerabilities summary 2024-08-13 / 3mo
Classification: Critical, Solution: Official Fix, Exploit Maturity: High, CVSSv3.1: 9.8, CVEs: CVE-2024-21302, CVE-2024-29995, CVE-2024-37968, CVE-2024-38063, CVE-2024-38084, CVE-2024-38098, CVE-2024-38106, CVE-2024-38107, CVE-2024-38108, CVE-2024-38109, CVE-2024-38114, CVE-2024-38115, CVE-2024-38116, CVE-2024-38117, CVE-2024-38118, CVE-2024-38120, CVE-2024-38121, CVE-2024-38122, CVE-2024-38123, CVE-2024-38125 (+82 other associated CVEs), Summary: https://www.bleepingcomputer.com/news/microsoft/microsoft-august-2024-patch-tuesday-fixes-9-zero-days-6-exploited/ Today is Microsoft's August 2024 Patch Tuesday, which includes security updates for 89 flaws, including six actively exploited and three publicly disclosed zero-days. Microsoft is still working on an update for a tenth publicly disclosed zero-day. This Patch Tuesday fixed eight critical vulnerabilities, which were a mixture of elevation of privileges, remote code execution, and information disclosure. The number of bugs in each vulnerability category is listed below:
CVE-2024-38202 - Security Update Guide - Microsoft - Windows Update Stack Elevation of Privilege Vulnerability
Microsoft Security Response Center / 3mo
Guidance to help customers reduce the risks associated with this vulnerability and to protect their systems until the mitigation is available in a Windows security update is provided in the Recommended Actions section of this CVE. Microsoft was notified that an elevation of privilege vulnerability exists in Windows Backup, potentially enabling an attacker with basic user privileges to reintroduce previously mitigated vulnerabilities or circumvent some features of Virtualization Based Security (VBS).
See 28 more references

News

Patch Tuesday November 2024 - 3 Zero Days!
Ultimate Windows Security Newsletter / 6d
So, without further ado, here’s the chart of MS patches that affect Windows platforms in the past month. Of this months patches only 8 are critical and 88 important.
Downgrade attacks open patched systems to malware
Security Boulevard / 13d
In that work, Leviev demonstrated the use of a custom tool, Windows Downdate, that enabled him to downgrade critical Windows components such as dynamic link libraries (DLLs), drivers, and the NT kernel, swapping in older versions of key components with known, exploitable vulnerabilities, without being detected. In a blog post, Leviev, who now works for Microsoft, explained that his latest bypass could allow a malicious actor to load unsigned kernel drivers on a fully patched Windows system.
Downgrade attacks open patched systems to malware
ReversingLabs Blog / 13d
In that work, Leviev demonstrated the use of a custom tool, Windows Downdate, that enabled him to downgrade critical Windows components such as dynamic link libraries (DLLs), drivers, and the NT kernel, swapping in older versions of key components with known, exploitable vulnerabilities, without being detected. In a blog post, Leviev, who now works for Microsoft, explained that his latest bypass could allow a malicious actor to load unsigned kernel drivers on a fully patched Windows system.
Downgrade attacks open fully patched Windows systems to malware
Malware Analysis, News and Indicators - Latest topics / 13d
In a blog post, Leviev, who now works for Microsoft, explained that his latest bypass could allow a malicious actor to load unsigned kernel drivers on a fully patched Windows system. In that work, Leviev demonstrated the use of a custom tool, Windows Downdate, that enabled him to downgrade critical Windows components such as dynamic link libraries (DLLs), drivers, and the NT kernel, swapping in older versions of key components with known, exploitable vulnerabilities, without being detected.
Cybersecurity Threat Advisory: New Microsoft Windows vulnerabilities
Smarter MSP / 15d
Read this Cybersecurity Threat Advisory to learn more about how these vulnerabilities can be leveraged to exploit Microsoft Windows and how to protect your systems. In addition, these vulnerabilities can affect fully patched Windows systems, making it a major concern for both enterprises and individual users.
See 290 more articles and social media posts

CVSS V3.1

Attack Vector:Local
Attack Complexity:Low
Privileges Required:Low
User Interaction:Required
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

CVSS 7.3(51562)CWE-284(2759)Microsoft(12100)

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI

Feedly Threat Intelligence30-day free trial