ExploitCVE-2024-38213
Protection Mechanism Failure (CWE-693)
Summary
A Windows Mark of the Web Security Feature Bypass Vulnerability has been identified. This vulnerability is associated with a protection mechanism failure (CWE-693) and affects Microsoft Windows products. The vulnerability has a CVSS v3.1 base score of 6.5, indicating a medium severity level. It requires network access and user interaction, with a low attack complexity. The vulnerability primarily impacts system integrity, with no direct effect on confidentiality or availability.
Impact
If exploited, this vulnerability could allow an attacker to bypass the Windows Mark of the Web (MOTW) security feature. This could potentially lead to the execution of untrusted files without proper security warnings or restrictions. The impact is primarily on system integrity, as indicated by the "HIGH" integrity impact in the CVSS score. Attackers might be able to manipulate or bypass security controls designed to protect users from potentially malicious files downloaded from the internet. This could result in the execution of malware or other malicious content without the user's knowledge or consent, potentially leading to system compromise or data manipulation.
Exploitation
There is no evidence that a public proof-of-concept exists. The vulnerability is actively being exploited in the wild and was added to the CISA Known Exploited Vulnerability list. Its exploitation has been reported by various sources, including cisa.gov. Malware such as Lumma Stealer (source:NetmanageIT CTO Corner), Hydra (source:VERITI), DarkGate (source:Black Hat Ethical Hacking) are known to have weaponized this vulnerability.
Patch
A patch is available for this vulnerability. Microsoft released the patch on August 13, 2024, as part of their regular security updates. The patch can be obtained through the Microsoft Update Guide at the provided URL: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2024-38213
Mitigation
1. Apply the security update provided by Microsoft as soon as possible. 2. Ensure all Windows systems are set to receive and install updates automatically. 3. Implement the principle of least privilege to minimize the potential impact of any successful exploit. 4. Educate users about the risks of opening files from untrusted sources, even if they appear to be from legitimate senders. 5. Consider implementing additional security measures such as application whitelisting or enhanced email filtering to reduce the risk of malicious file execution. 6. Monitor systems for any suspicious activities, especially those related to file execution from external sources. 7. Keep all security software up-to-date and perform regular security scans.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N/E:F/RL:O/RC:C
Timeline
A CVSS base score of 6.5 has been assigned.
Feedly found the first article mentioning CVE-2024-38213. See article
Feedly estimated the CVSS score as MEDIUM
Feedly estimated the CVSS score as HIGH
NVD published the first details for CVE-2024-38213
Attacks in the wild have been reported by CISA Known Exploited Vulnerability.
Attacks in the wild have been reported by CISA - Known exploited vulnerabilities catalog. See article
CVE-2024-38213 is a critical security feature bypass vulnerability in Windows Mark of the Web with a CVSSv3 score of 6.5. Microsoft has flagged it as "Exploitation Detected" due to instances of exploitation in the wild. While there are no proof-of-concept exploits currently available, users are advised to be cautious when opening files from untrusted sources and to apply any patches or mitigations provided by Microsoft. See article
The vulnerability is known to be exploited by DarkGate. See article