[CDP-development] TLP:GREEN (Zero-Day Alert Notification) MS-ISAC 2024-26169 Microsoft Windows Error Reporting Service Improper Privilege Management Vulnerability

ESO_SOC * DAS ESO.SOC at das.oregon.gov
Fri Jun 14 10:38:26 PDT 2024 

Good morning,

The SOC Services team is reporting on the vulnerability: CVE-2024-26169: Microsoft Windows Error Reporting Service Improper Privilege Management Vulnerability.  Due to its high visibility, knowledge of the software installed in the state environment, and active exploitations, we are providing this in-depth information:

History: On March 12, 2024, CVE-2024-26169 was created and on June 13, 2024, with a CVSSv3 score of 7.8. CISA recently added CVE-2024-26169 to the Known Exploited Vulnerabilities Catalog on June 13, 2024. This CVE was one of the zero-day vulnerabilities patched by Microsoft on this recent patch Tuesday.

The following products are affected:

  *   Windows Server 2012 - R2 and R2 (Server Core installation)
  *   Windows Server 2016 and Windows Server 2016 (Server Core installation)
  *   Windows Server 2019 and Windows Server 2019 (Server Core installation)
  *   Windows Server 2022, Windows Server 2022 (Server Core Installation), Windows Server 2022 23H2 Edition (Server Core Installation)
  *   Windows 10 for 32-bit Systems, Windows 10 for x64-based Systems, 1607 for 32-bit Systems, 1607 for x64-based Systems, 1809 for 32-bit Systems, 1809 for x64-based Systems, 1809 for ARM64-based Systems, 21H2 for 32-bit Systems, 21H2 for x64-based Systems, 21H2 for ARM64-based Systems, 22H2 for 32-bit Systems, 22H2 for x64-based Systems, 22H2 for ARM64-based Systems
  *   Windows 11 - 21H2 for ARM64-based Systems,  21H2 for x64-based Systems , 22H2 for ARM64-based Systems , 22H2 for x64-based Systems, 23H2 for ARM64-based Systems, 23H2 for x64-based Systems


Microsoft has provided the following patching information: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-26169.

Intelligence: As of June 14, 2024, MS-ISAC is aware that CVE-2024-26169 can permit an attacker to elevate their privileges.  The Black Basta ransomware operation is suspected of exploiting a Windows privilege escalation vulnerability (CVE-2024-26169) as a zero-day before a fix was made available. Black Basta ransomware group is believed to be linked to the Conti ransomware group. It is believed that Black Basta has had a working exploit tool between 14 and 85 days before Microsoft patched the CVE.

Used in Ransomware: Yes

Workarounds:  There are currently no work arounds for this vulnerability.

How it works:  Symantec has provided the following information regarding CVE-2024-26169:

  *   The exploit tool leverages werkernel.sys as it uses a null security descriptor when creating registry keys.
     *   Creating this registry key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WerFault.exe"
     *   Sets the "Debugger" value to its own executable pathname, allowing it to launch a shell with SYSTEM privileges.

Post-Exploit: Upon successful exploitation of the vulnerability, ransomware groups could execute encryption ransomware-based attacks or additional extortion tactics.

No known indicators of compromise have been publicly shared at this time.

As of June 13, 2024, the following vulnerability plugins have been released and are currently in Tenable Security Center:
Plugin
Title
Severity
191930<https://www.tenable.com/plugins/nessus/191930>
KB5035854: Windows 11 version 21H2 Security Update (March 2024)
High
191938<https://www.tenable.com/plugins/nessus/191938>
KB5035849: Windows 10 version 1809 / Windows Server 2019 Security Update (March 2024)
High
191934<https://www.tenable.com/plugins/nessus/191934>
KB5035855: Windows 10 Version 1607 / Windows Server 2016 Security Update (March 2024)
High
191941<https://www.tenable.com/plugins/nessus/191941>
KB5035858: Windows 10 LTS 1507 Security Update (March 2024)
High
191944<https://www.tenable.com/plugins/nessus/191944>
KB5035845: Windows 10 Version 21H2 / Windows 10 Version 22H2 Security Update (March 2024)
High
191936<https://www.tenable.com/plugins/nessus/191936>
KB5035856: Windows 11 version 22H2 / Windows Server version 23H2 Security Update (March 2024)
High
191942<https://www.tenable.com/plugins/nessus/191942>
KB5035885: Windows Server 2012 R2 Security Update (March 2024)
High
191947<https://www.tenable.com/plugins/nessus/191947>
KB5035857: Windows 2022 / Azure Stack HCI 22H2 Security Update (March 2024)
High
191937<https://www.tenable.com/plugins/nessus/191937>
KB5035853: Windows 11 version 22H2 / 23H2 Security Update (March 2024)
High

Recommended Actions:


  *   Verify host has not been compromised before applying patches.
  *   Apply appropriate updates provided by vendor to vulnerable systems immediately after appropriate testing.
  *   Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  *   Apply the Principle of Least Privilege to all systems and services.


[cid:image001.png at 01DABE45.DB29EDF0]
Cyber Security Services
State of Oregon Cyber Security Services
Enterprise Information Services | SOC
Cyber Security Services (CSS)
SOC Hotline: (503) 378-5930 | SOC Services (503) 373-0378
"Ensuring user-friendly, reliable and secure state technology systems that equitably serve Oregonians."


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20240614/5fe8ebdc/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 21907 bytes
Desc: image001.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20240614/5fe8ebdc/attachment-0001.png>

More information about the CDP-development mailing list