New critical exploit discovered in Windows kernel: security implications and solutions
How a zero-day exploit threatens Windows kernel security: analysis and mitigation
CVE-2024-38106 is a serious vulnerability in the Windows kernel, discovered by Sergei Kornienko. It allows attackers to gain SYSTEM privileges. Microsoft has released a patch to fix it. It has been actively exploited by the North Korean hacker group Citrine Sleet.
On September 2, PixiePoint security researcher Sergei Kornienko published an in-depth analysis and demonstration of an exploit that takes advantage of a critical zero-day vulnerability in the Windows kernel, identified as CVE-2024-38106. This security flaw, with a CVSS score of 7.0, is located in the Windows kernel and affects the process “ntoskrnl.exe,” which is essential for communication between hardware and software. The vulnerability is related to a Race Condition, a situation where the outcome of an operation depends on the timeline of events. If successfully exploited, this flaw could allow an attacker to gain SYSTEM-level privileges, essentially gaining full control over the vulnerable device. Kornienko responsibly disclosed the vulnerability to Microsoft, which has released an update to mitigate the issue.
Security updates and changes
The update released by Microsoft to address CVE-2024-38106 includes significant changes to two key functions: VslGetSetSecureContext() and NtSetInformationWorkerFactory(). These changes were necessary to eliminate the Race Condition and strengthen the security of the operating system. In particular, new blocking mechanisms have been introduced for operations related to the kernel's Virtualization Based Security (VBS) mode; furthermore, a flag check has been implemented in the NtShutdownWorkerFactory() process, reducing the likelihood of exploitation of the vulnerability.
Active exploitation of the vulnerability
Sergei Kornienko also published a Proof of Concept (PoC) exploit that demonstrates how attackers can leverage CVE-2024-38106 to achieve privilege escalation. The publication of the PoC exploit highlights the serious security risks for home and enterprise users if the vulnerability is not addressed promptly. According to PixiePoint, the vulnerability was actively exploited by a North Korean hacking group known as Citrine Sleet. The attacks began via redirects to a malicious website called “voyagorclub[.]space,” with social engineering methods used to trick victims into falling for the scam.
Consequences and recommendations
Once victims were redirected to the malicious site, the attackers exploited the CVE-2024-7971 vulnerability to gain access to the target system. They then downloaded and executed code to exploit CVE-2024-38106, thereby bypassing the sandbox and achieving elevation of privilege. This allowed the introduction of malware known as the FudModule rootkit, which uses the Direct Kernel Object Manipulation (DKOM) technique to modify the security mechanisms of the Windows kernel. This makes the malware extremely difficult to detect and remove. Microsoft quickly released a patch for the vulnerability as part of the August 2024 Update. This case highlights the importance of timely patching and maintaining constant cybersecurity vigilance to prevent abuse and minimize risks.
Follow us on WhatsApp for more pills like this09/06/2024 09:44
Marco Verro