SB2024021367 - Multiple vulnerabilities in Microsoft Windows Kernel

Description

This security bulletin contains information about 6 secuirty vulnerabilities.

1) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2024-21345)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to application does not properly impose security restrictions in the Windows Kernel, which leads to security restrictions bypass and privilege escalation.

2) Race condition (CVE-ID: CVE-2024-21371)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a race condition in the Windows Kernel. A local user can exploit the race and gain unauthorized access to sensitive information and escalate privileges on the system.

3) Input validation error (CVE-ID: CVE-2024-21341)

The vulnerability allows a local attacker to execute arbitrary code on the system.

The vulnerability exists due to insufficient validation of user-supplied input in the Windows Kernel. An attacker with physical access can pass specially crafted input to the application and execute arbitrary code on the target system.

4) Information disclosure (CVE-ID: CVE-2024-21340)

The vulnerability allows a local attacker to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application in the Windows Kernel. An attacker with physical access can gain unauthorized access to sensitive information on the system.

5) Buffer overflow (CVE-ID: CVE-2024-21338)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a boundary error within the appid.sys AppLocker driver. A local user can trigger memory corruption and execute arbitrary code with elevated privileges.

Note, the vulnerability is being actively exploited in the wild.

6) Security features bypass (CVE-ID: CVE-2024-21362)

The vulnerability allows a local user to compromise the target system.

The vulnerability exists due to security features bypass in the Windows Kernel. A local user can bypass the Windows Code Integrity Guard (CIG).

Remediation

Install update from vendor's website.

References

• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21345
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21371
• https://www.zerodayinitiative.com/advisories/ZDI-24-1035/
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21341
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21340
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21338
• https://decoded.avast.io/janvojtesek/lazarus-and-the-fudmodule-rootkit-beyond-byovd-with-an-admin-to-kernel-zero-day/
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21362