[CDP-development] TLP:GREEN (Vulnerability Notification) CVE-2024-30088 Microsoft Windows Kernel TOCTOU Race Condition Vulnerability

CSS Security Operations Services * DAS css-soc-services at das.oregon.gov
Tue Oct 15 13:20:44 PDT 2024 

Good afternoon,

The SOC Services team is reporting on the vulnerability: CVE-2024-30088 Microsoft Windows Kernel TOCTOU Race Condition Vulnerability.  Due to its high visibility and knowledge of the software installed in the state environment, we are providing this in-depth information:

History: On June 11, 2024, Microsoft patched a race condition (Time of check Time-of-use) vulnerability in several Microsoft Operating Systems for CVE-2024-30088. The vulnerability is described as elevation of privilege. CVE-2024-30088 was established as a CVE on June 11, 2024, and last modified on June 21, 2024, and is currently a CVSSv3 rating of 7.0 (High).

Vulnerable Versions:


  *   Windows 10 (multiple versions)
  *   Windows 11 (multiple versions)
  *   Windows Server 2016 (multiple versions)
  *   Windows Server 2019 (multiple versions)
  *   Windows Server 2022 (multiple versions)


Fixed Versions:

Link to Microsoft Security Response Center regarding CVE-2024-30088 patches: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-30088

Intelligence: As of October 15, 2024, the vulnerability has been confirmed as being exploited in the wild. The vulnerability resides within the function, NtQueryInformationToken, particularly in the handling of the AuthzBasepCopyoutInternalSecurityAttributes function. The flaw stems from the kernel's improper management of locking mechanisms when operating on an object, a slip-up that could lead to unintended privilege escalation for malicious entities. The exposure of such a vulnerability is particularly alarming due to the elevated privileges attackers can gain - effectively seizing complete control over the affected system. This privilege escalation can facilitate further malicious activities, including data theft, system sabotage, and the deployment of additional malware.

Additionally, on October 13, 2024, a Hacker News article was released stating, "an Iranian threat actor known as "OilRig" has been observed exploiting the now patched privilege escalation flaw impacting the Windows Kernel as part of a cyber espionage campaign targeting the U.A.E and the broader Gulf region." (https://thehackernews.com/2024/10/oilrig-exploits-windows-kernel-flaw-in.html). In this article it is also stated that this group is using this attack to deploy a backdoor that leverages Microsoft Exchange servers for credentials theft.

Workarounds:  There are no workarounds at this time.

How it works:  The vulnerability allows for an attack vector where the SecurityAttributesList from the kernel could be manipulated directly to a user-supplied pointer. This precarious action leads to multiple Time-of-Check to Time-of-Use (TOCTOU) vulnerabilities, whereby a malicious thread could alter the buffer pointer of an attribute name before the RtlCopyUnicodeString function is called. Such manipulation enables the attacker to write to an arbitrary address with a controlled value and size.

Recently, "Initial access to target networks is facilitated by means of infiltrating a vulnerable web server to drop a web shell, followed by dropping the ngrok remote management tool to maintain persistence and move to other endpoints in the network. The privilege escalation vulnerability subsequently serves as a conduit to deliver the backdoor, codenamed STEALHOOK, responsible for transmitting harvested data via the Exchange server to an email address controlled by the attacker in the form of attachments. A notable technique employed by OilRig in the latest set of attacks involves the abuse of the elevated privileges to drop the password filter policy DLL (psgfilter.dll) in order to extract sensitive credentials from domain users via domain controllers or local accounts on local machines. "The malicious actor took great care in working with the plaintext passwords while implementing the password filter export functions," the researchers said. "The threat actor also utilized plaintext passwords to gain access and deploy tools remotely. The plaintext passwords were first encrypted before being exfiltrated when sent over networks." as stated in the Hacker News article.

Post-Exploit: An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM.

As of June 11, 2024 and updated on September 26, 2024, the following vulnerability plugins have been released and are currently in Tenable Security Center:
Plugin
Title
Severity
Platform
200336<kb5039227:%20Windows%20Server%202022%20/%20Azure%20Stack%20HCI%2022H2%20Security%20Update%20(June%202024)>
KB5039227: Windows Server 2022 / Azure Stack HCI 22H2 Security Update (June 2024)
Critical
Nessus
200340<https://www.tenable.com/plugins/nessus/200340>
KB5039225: Windows 10 LTS 1507 Security Update (June 2024)
Critical
Nessus
200342<https://www.tenable.com/plugins/nessus/200342>
KB5039213: Windows 11 version 21H2 Security Update (June 2024)
Critical
Nessus
200343<https://www.tenable.com/plugins/nessus/200343>
KB5039211: Windows 10 Version 21H2 / Windows 10 Version 22H2 Security Update (June 2024)
Critical
Nessus
200345<https://www.tenable.com/plugins/nessus/200345>
KB5039212: Windows 11 version 22H2 / Windows 11 version 23H2 Security Update (June 2024)
Critical
Nessus
200349<https://www.tenable.com/plugins/nessus/200349>
KB5039217: Windows 10 version 1809 / Windows Server 2019 Security Update (June 2024)
Critical
Nessus
200351<https://www.tenable.com/plugins/nessus/200351>
KB5039214: Windows 10 Version 1607 / Windows Server 2016 Security Update (June 2024)
Critical
Nessus
200352<https://www.tenable.com/plugins/nessus/200352>
KB5039236: Windows 11 version 22H2 / Windows Server version 23H2 Security Update (June 2024)
Critical
Nessus

Recommended Actions:


  *   Verify host has not been compromised before applying patches.
  *   Apply appropriate updates provided by vendor to vulnerable systems immediately after appropriate testing.
  *   Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  *   Apply the Principle of Least Privilege to all systems and services.


[cid:image001.png at 01DB1EF9.FB92E640]
Cyber Security Services
State of Oregon Cyber Security Services
Enterprise Information Services | SOC
Cyber Security Services (CSS)
SOC Hotline: (503) 378-5930 | SOC Services (503) 373-0378
"Ensuring user-friendly, reliable, and secure state technology systems that equitably serve Oregonians."


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20241015/7aba5c6c/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 21907 bytes
Desc: image001.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20241015/7aba5c6c/attachment-0001.png>

More information about the CDP-development mailing list