Windows Kernel bug ...
Clear all

Windows Kernel bug zero day patch now

1 Posts
1 Users
Brandon Lee
Posts: 537
Member Admin
Topic starter

In February, Microsoft addressed a critical privilege escalation vulnerability within the Windows Kernel, identified as CVE-2024-21338, following a six-month period after initial reports indicated its active exploitation as a zero-day threat. This security breach was discovered by Jan Vojtěšek, a Senior Malware Researcher at Avast, who noted its presence in the appid.sys driver, associated with Windows AppLocker, and reported it to Microsoft in August as being actively exploited.

The vulnerability affects various versions of Windows 10 and Windows 11, including their most recent updates, along with Windows Server 2019 and 2022. Microsoft's analysis revealed that the flaw allows local attackers to escalate privileges to SYSTEM level through attacks of low complexity that do not necessitate user interaction. An attacker would need to first gain access to the system, then execute a specially crafted application to exploit the flaw and seize control.

Upon addressing the vulnerability on February 13, Microsoft updated the advisory towards the end of February to acknowledge that CVE-2024-21338 had been exploited in real-world attacks, without providing specific details on the incidents.

Avast has identified that the North Korean Lazarus hacking group exploited this vulnerability since at least August 2023, aiming to achieve kernel-level access and deactivate security measures. This approach allowed them to sidestep more detectable techniques, such as Bring Your Own Vulnerable Driver (BYOVD). Gaining kernel-level access enables attackers to interfere with security software, mask infection indicators, disable kernel-mode telemetry, and alter or protect processes. This is notably significant for manipulating or protecting processes like lsass, especially when protected with RunAsPPL, as bypassing PPL could allow attackers to extract otherwise inaccessible credentials.

Lazarus leveraged this flaw to create a kernel read/write primitive, enhancing a FudModule rootkit variant with advanced stealth capabilities and the ability to disable several major security protections. This variant exhibits new rootkit techniques aimed at evading detection.

In their investigation, Avast also uncovered a previously undetected remote access trojan (RAT) utilized by Lazarus, which will be detailed in an upcoming presentation at BlackHat Asia in April. Following the exposure of their admin-to-kernel zero-day, Lazarus faces the dilemma of finding new zero-day exploits or reverting to previous BYOVD strategies.

Windows users are strongly encouraged to apply the updates released on February 2024 Patch Tuesday promptly to protect against the CVE-2024-21338 exploits by Lazarus.

Posted : 03/03/2024 9:38 am