Overview
On February 13th, 2024, Microsoft announced a Windows Kernel Elevation of Privilege Vulnerability CVE-2024-21338 patch. The vulnerability occurs at certain IOCTL of “appid.sys” known as AppLocker‘s driver, one of the Windows feature. The threat actor can read and write on a random kernel memory by exploiting the vulnerability, and can either disable security products or gain system privilege. AVAST reported that the Lazarus threat group has recently used CVE-2024-21338 vulnerability to disable security products. Thus, Windows OS users are advised to apply the latest security patch for their systems.
Description
The act of exploiting a vulnerable driver to execute codes on kernel mode is called Bring Your Own Vulnerable Driver (BYOVD) (T1068). BYOVD is used to disable security products and gain access to system privileges. On September 22nd, 2022, ASEC Blog introduced the attack technique used by the Lazarus threat group, backed by North Korea. Their technique is used to disable security products, and this is identical to that of the aforementioned attack. At the time, Lazarus created a WinIO (open-source) based driver file in the system named “ene.sys”. However, it is assumed that the attack was carried out covertly as a vulnerable driver existed within the system for this particular attack. And since Microsoft’s normal driver modules were exploited, it will probably leave a huge impact.
Vulnerability and Patch Info
Vulnerability Info
CVE-2024-21338: Windows Kernel Elevation of Privilege Vulnerability (CVSS 3.1 Score: 7.8, High)
Patch Info
Windows versions affected by CVE-2024-21338 vulnerabilities are as follows:
Windows 10 Version 1809
Windows 10 Version 21H2
Windows 11 version 21H2
Windows 10 Version 22H2
Windows 11 Version 22H2
Windows 11 Version 23H2
Windows Server 2019
Windows Server 2019 (Server Core installation)
Windows Server 2022
Windows Server 2022 (Server Core installation)
Windows Server 2022, 23H2 Edition (Server Core installation)
The following table provides the patch details of the CVE-2024-21338 vulnerability categorized by product.
Release Date
Product
Build Number
Patch Link
Patch Document
Feb 13th, 2024
Windows Server 2022, 23H2 Edition (Server Core installation)