Introduction

On August 7, 2024, Microsoft disclosed a critical security vulnerability identified as CVE-2024-21302 and CVE-2024-38202. This vulnerability affects Windows systems supporting Virtualization Based Security (VBS), including certain Azure Virtual Machine SKUs. The vulnerability allows an attacker with administrative privileges to replace current Windows system files with outdated versions, potentially reintroducing previously mitigated vulnerabilities, circumventing VBS features, and exfiltrating data protected by VBS.

Vulnerability Details
The vulnerability was reported by a security researcher who discovered that Windows 10, Windows 11, Windows Server 2016, and higher versions, including Azure VMs supporting VBS, are susceptible. The core issue lies in the ability of an attacker with administrative privileges to replace current system files with outdated ones. This action can reintroduce previously fixed vulnerabilities, bypass VBS security features, and access sensitive data.

Impact and Risks

Successful exploitation of this vulnerability can have severe consequences:

Reintroduction of Mitigated Vulnerabilities: Attackers can exploit previously patched vulnerabilities, making the system susceptible to known attacks.

Circumvention of VBS Features: VBS features designed to protect the system can be bypassed, reducing the overall security posture.

Data Exfiltration: Sensitive data protected by VBS can be accessed and exfiltrated by the attacker.

Current Status

As of now, Microsoft is actively developing a security update to address this vulnerability. However, due to the complexity of blocking a large number of outdated files, rigorous testing is required to avoid integration failures or regressions. Microsoft has not yet released the update but is providing guidance to help customers reduce the risks associated with this vulnerability.

Recommended Actions

While waiting for the official security update, Microsoft recommends the following actions to mitigate the risk:

Configure Audit Object Access Settings: Monitor attempts to access files, including handle creation, read/write operations, or modifications to security descriptors.
Refer to Audit File System – Windows 10 and Apply a Basic Audit Policy on a File or Folder – Windows 10 for detailed instructions.

Audit Sensitive Privilege Use: Identify access, modification, or replacement of VBS and backup-related files to detect potential exploitation attempts.
Refer to Audit Sensitive Privilege Use – Windows 10 for more information.

Protect Cloud Users: Investigate user risk by reviewing Identity Protection’s Risk Reports in Azure Active Directory.
Rotate credentials for any flagged administrators and enable Multi-Factor Authentication (MFA) to mitigate exposure risks.
Conclusion
The Windows Secure Kernel Mode Elevation of Privilege Vulnerability (CVE-2024-21302 and CVE-2024-38202) represents a significant threat to systems supporting VBS. While Microsoft is working on a security update, it is crucial for organizations to implement the recommended actions to reduce the risk of exploitation. By configuring audit settings, monitoring sensitive privilege use, and protecting cloud users, organizations can enhance their security posture and safeguard their systems against potential attacks.

Stay tuned for updates from Microsoft and ensure your systems are protected by subscribing to Security Update Guide notifications. For more information, visit the Microsoft Security Response Center.