The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the CVE-2024-21338 (CVSS Score 7.8) Microsoft Windows Kernel Exposed IOCTL with Insufficient Access Control vulnerability to its Known Exploited Vulnerabilities (KEV) catalog.
An attacker can exploit this vulnerability to gain SYSTEM privileges. To take advantage of this vulnerability, a threat actor must initially log in to the system. Then he could execute a specially crafted application designed to exploit the vulnerability and assume control of the compromised system.
The vulnerability was discovered by Jan Vojtěšek from Avast.
At the end of February, Avast researchers observed the North Korea-linked Lazarus APT group using an admin-to-kernel exploit for a zero-day vulnerability in the appid.sys AppLocker driver.
The zero-day, tracked as CVE-2024-21338 has been addressed by Microsoft in the February Patch Tuesday update.
The nation-state actors exploited the zero-day to gain kernel-level access and disable security software. In past attacks threat actors achieved the same goal by using much noisier BYOVD (Bring Your Own Vulnerable Driver) techniques to cross the admin-to-kernel boundary.
Lazarus exploited the vulnerability CVE-2024-21338 to perform direct kernel object manipulation in an updated version of their FudModule rootkit.
The flaw CVE-2024-21338 resides within the IOCTL (Input and Output Control) dispatcher of the driver appid.sys. This driver is a core component of the AppLocker application, which is used to control which apps and files users can run.
Lazarus exploited the zero-day in the appid.sys driver by manipulating the Input and Output Control (IOCTL) dispatcher. This manipulation allows them to arbitrary code on the target system, bypassing security measures
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.
CISA orders federal agencies to fix this vulnerability by March 25, 2024.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – ransomware, Lazarus)