Executive Summary

Date: December 16, 2024

The CVE-2024-35250 vulnerability is currently being exploited by malicious actors, including state-sponsored groups. Notably, the Iranian hacking group APT34 (also known as OilRig) has been reported to leverage this vulnerability to escalate privileges within compromised systems. This report provides a detailed analysis of the vulnerability, its exploitation in the wild, affected product versions, and recommended mitigation strategies.

Technical Information

The vulnerability, tracked as CVE-2024-35250, is a high-severity flaw in the Windows kernel that allows local attackers to gain SYSTEM privileges through an untrusted pointer dereference weakness. This vulnerability is particularly concerning as it can be exploited in low-complexity attacks that do not require user interaction, making it accessible to a broader range of attackers. The affected component is the Microsoft Kernel Streaming Service (MSKSSRV.SYS).

The flaw was discovered by the DEVCORE Research Team, who reported it to Microsoft through Trend Micro's Zero Day Initiative. The vulnerability was patched during the June 2024 Patch Tuesday, but proof-of-concept (PoC) exploit code was released on GitHub four months later, indicating a potential increase in exploitation attempts. The ease of exploitation and the availability of PoC code heighten the urgency for organizations to address this vulnerability.

Exploitation in the Wild

CISA has issued warnings to U.S. federal agencies to secure their systems against ongoing attacks exploiting this vulnerability. The agency has added CVE-2024-35250 to its Known Exploited Vulnerabilities (KEV) catalog, mandating that federal agencies must secure their networks by January 6, 2025, as per the Binding Operational Directive (BOD) 22-01. This directive emphasizes the urgency of addressing vulnerabilities that pose significant risks to federal enterprises.

The DEVCORE team demonstrated the exploitation of this vulnerability during the Pwn2Own Vancouver 2024 hacking contest, successfully compromising a fully patched Windows 11 system. The demonstration included a video showcasing the PoC exploit in action, further highlighting the vulnerability's severity and the ease with which it can be exploited. The ongoing exploitation of this vulnerability underscores the critical need for immediate action from organizations to protect their systems.

APT Groups using this vulnerability

The CVE-2024-35250 vulnerability has been notably exploited by the Iranian hacking group APT34. This group is known for targeting various sectors, including energy and telecommunications, primarily in the Middle East. Their use of this vulnerability to escalate privileges within compromised systems indicates a sophisticated approach to cyber operations, leveraging known weaknesses to gain deeper access to sensitive environments.

Affected Product Versions

The following product versions are affected by CVE-2024-35250:

Microsoft Windows 10 includes versions before (excluding) 10.0.10240.20680 (1507), versions before (excluding) 10.0.14393.7070 (1607), versions before (excluding) 10.0.17763.5936 (1809), versions before (excluding) 10.0.19044.4529 (21H2), and versions before (excluding) 10.0.19045.4529 (22H2).

Microsoft Windows 11 includes versions before (excluding) 10.0.22000.3019 (21H2), versions before (excluding) 10.0.22621.3737 (22H2), and versions before (excluding) 10.0.22631.3737 (23H2).

Microsoft Windows Server includes Windows Server 2008 versions before (excluding) 10.0.14393.7070 (R2 SP1), Windows Server 2012 (all versions), Windows Server 2016 versions before (excluding) 10.0.14393.7070, Windows Server 2019 versions before (excluding) 10.0.17763.5936, and Windows Server 2022 versions before (excluding) 10.0.20348.2522.

Organizations using these versions are at risk and must take immediate action to secure their systems.

Workaround and Mitigation

Organizations are advised to prioritize the patching of CVE-2024-35250 to mitigate the risk of exploitation. While Microsoft has released a patch, the presence of publicly available PoC exploit code necessitates immediate action to secure systems against potential attacks.

In addition to patching, organizations should consider implementing application control measures such as Software Restriction Policies (SRP) or AppLocker to prevent unauthorized execution of potentially malicious code that could exploit this vulnerability. Regular security assessments and monitoring for unusual activity can also help in identifying potential exploitation attempts early.

References

CISA KEV Catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

NVD Entry for CVE-2024-35250: https://nvd.nist.gov/vuln/detail/CVE-2024-35250

BleepingComputer Article: https://www.bleepingcomputer.com/news/security/windows-kernel-bug-now-exploited-in-attacks-to-gain-system-privileges/

Microsoft Security Update Guide for CVE-2024-35250: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-35250

Rescana is here for you

At Rescana, we are committed to helping our customers navigate the complexities of cybersecurity through our Continuous Threat and Exposure Management (CTEM) platform. Our solutions are designed to provide organizations with the tools and insights necessary to manage vulnerabilities effectively and enhance their overall security posture. We are happy to answer any questions you might have about this report or any other issue at ops@rescana.com.