Detecting Windows Secure Kernel Mode & Update Stack Elevation of Privilege Vulnerabilities (CVE-2024-21302 & CVE-2024-38202) with ManageEngine Vulnerability Manager Plus!
Hello everyone!
*This forum post will be updated periodically based on the data updated by Microsoft.
The recently identified Windows Secure Kernel Mode (CVE-2024-21302) and Windows Update Stack (CVE-2024-38202) vulnerabilities are classified as zero-day vulnerabilities. Affecting all the Windows operating systems, these vulnerabilities can allow attackers to carry out Elevation of Privilege potentially.
By exploiting these vulnerabilities, threat actors can induce target devices to rollback to previous software versions, thereby re-exposing them to known exploits.
You can detect these zero-days in your network using Vulnerability Manager Plus by,
- Navigating to the Threats tab -> Zero-day Vulnerabilities view.
Note: Currently, we don't support patching for this vulnerability. You will be able to deploy the patches from Vulnerability Manager Plus console once patches are released by Microsoft.
Recommended Actions suggested by Microsoft
As per Microsoft, while the following recommendations do not completely protect against the vulnerability, they can help reduce the likelihood of exploitation until a security update is available:
1) Windows Secure Kernel Mode (CVE-2024-21302) vulnerability
- Monitor Access Attempts: Configure “Audit Object Access” settings to track attempts to access files, including handle creation, read/write operations, and changes to security descriptors.
- Audit Sensitive Privileges: Enable auditing for sensitive privileges to detect access, modification, or replacement of VBS and Backup-related files, which could signal attempts to exploit the vulnerability.
- Secure Cloud Users in Your Tenant: Assess user risk in Azure Active Directory by reviewing Identity Protection’s Risk Reports and rotating credentials for any flagged administrators. Additionally, enable Multi-Factor Authentication to reduce the risk of exposure.
2) Windows Update Stack (CVE-2024-38202) vulnerability
- Configure the "Audit Object Access" settings to monitor attempts to access files, including handle creation, read/write operations, and modifications to security descriptors.
- Audit users with permissions to perform Backup and Restore operations to ensure that only authorized users have the ability to carry out these tasks.
- Implement Access Control Lists (ACLs) or Discretionary Access Control Lists (DACLs) to restrict access to or modification of Backup files, and to limit Restore operations to appropriate users, such as administrators only.
- Auditing sensitive privileges used to access, modify, or replace Backup-related files can help identify potential attempts to exploit this vulnerability.
To learn more about the affected Windows operating systems, please refer to these documents,