✅ Report Title:

Quick Overview of Windows Kernel Vulnerability

✅ Executive Summary:

- On August 13, 2024, a Windows Kernel vulnerability, CVE-2024-38106, received an urgent patch.

- It was revealed that Windows and Windows Server products that had not applied the August cumulative update were vulnerable.

- On August 13, 2024, the vulnerability was disclosed as a CVSSv3: 7.0 HIGH severity issue, and a patch was released.

- Additionally, an actual exploitation case involving a North Korean-backed APT group was identified, prompting immediate response recommendations.

📌 What is the attack scenario?

- On August 13, 2024, the North Korean-backed APT group Lazarus, along with a related threat group called Citrine Sleet, exploited the CVE-2024-7971 vulnerability to execute arbitrary code in the Chromium renderer process. They subsequently leveraged this vulnerability for sandbox escape and privilege escalation, eventually deploying the FudModule rootkit.

📌 What caused the vulnerability?

- This vulnerability arises from a race condition in the Windows Kernel API NtSetInformationWorkerFactory. Specifically, improper access control occurs when the worker factory object is accessed to set property information, leading to a privilege escalation issue.

- The kernel image of the Windows operating system, ntoskrnl.exe, provides APIs for managing worker factory objects used in user-mode thread pool mechanisms:

• NtCreateWorkerFactory: Creates a worker factory object.

• NtSetInformationWorkerFactory: Sets properties like idle timeout for an existing worker factory object.

• NtShutdownWorkerFactory: Releases the worker factory object after use.
  

- When the NtSetInformationWorkerFactory function passes WorkerFactoryIdleTimeout as an argument (based on the WORKERFACTORYINFOCLASS enumeration), it calls the KeSetTimer2 function as part of its routine.

- However, the function fails to check the state flag of the worker factory object before accessing it, leading to a race condition vulnerability.

✅ Recommended Threat Detection and Mitigation Actions:

- Update Threat Detection Rules: Ensure threat detection rules are updated and maintain continuous monitoring.

- Apply the Latest Patches: Install the latest security updates to mitigate the vulnerability.

- Download and install the cumulative updates for the following versions:

• Windows 11 Version 24H2 2024-08 Cumulative Update
• Windows 11 Version 23H2 2024-08 Cumulative Update
• Windows 11 Version 22H2 2024-08 Cumulative Update
• Windows 11 Version 21H2 2024-08 Cumulative Update
• Windows 10 Version 22H2 2024-08 Cumulative Update
• Windows 10 Version 21H2 2024-08 Cumulative Update
• Windows 10 Version 1809 2024-08 Cumulative Update
• Windows 10 Version 1607 2024-08 Cumulative Update
• Windows 10 2024-08 Cumulative Update
• Windows Server 2022, 23H2 Edition 2024-08 Cumulative Update
• Windows Server 2022 2024-08 Cumulative Update
• Windows Server 2019 2024-08 Cumulative Update
• Windows Server 2016 2024-08 Cumulative Update

- If Applying Patches is Not Possible: 

Follow the mitigation steps outlined below.

• Patch Limitation: Since ntoskrnl.exe is a core system component, no alternative mitigation methods are available apart from patching.
• Minimize Attack Surface: Exploiting the vulnerability requires code execution privileges. To reduce risk, minimize attack surfaces where remote code execution could occur and closely monitor such activities.

⚡ Additional Sharing Information:

- Around the same period, a vulnerability in the Windows Ancillary Function Driver for WinSock (AFD.sys) was urgently patched. It has been confirmed that in June 2024, the North Korean-backed APT group Lazarus, along with the related threat group Citrine Sleet, exploited this vulnerability to escalate privileges and deploy the FudModule rootkit into the kernel memory space.

- Here is a summary of the key details:

• On August 13, 2024, a vulnerability in the Windows Ancillary Function Driver for WinSock (AFD.sys), identified as CVE-2024-38193, was urgently patched.

• This vulnerability was found to affect all Windows product families prior to the application of the August 2024 cumulative update.

• The vulnerability was disclosed on August 13, 2024, with a CVSS 3.1 score of 7.8 (High), and a patch was released simultaneously.

• In June 2024, an actual exploitation case by the Lazarus-related threat group Citrine Sleet was confirmed, emphasizing the need for prompt response and mitigation.

🧑‍💻 Report Author: S2W TALON

👉 Contact us: https://s2w.inc/en/contact