The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning to federal agencies regarding ongoing attacks targeting vulnerabilities in the Windows kernel. The specific vulnerability, identified as cve-2024-35250 with a CVSS rating of 7.8, is linked to an improper use of pointers that allows local attackers to gain system privileges without user interaction. The vulnerability was discovered by researchers from Devcore, who found that the vulnerable component is the Microsoft Kernel Streaming Service (MSKSSRV.Sys).
At the PWN2WAN VANCOUVER 2024 competition, the Devcore team successfully exploited this vulnerability to escalate privileges and compromise a fully updated Windows 11 system. Microsoft addressed the vulnerability in a patch released during the June 2024 update, but an exploit code for the vulnerability appeared on GitHub four months later.
In addition to the Windows kernel vulnerability, CISA also added a critical vulnerability in Adobe ColdFusion, tracked as CVE-2024-20767 with a CVSS rating of 7.4, to the Known Exploited Vulnerabilities (KEV) catalog. The vulnerability, which was patched by Adobe in March, arises from inadequate access control and allows unauthorized access to sensitive files.
Research conducted by SecureLayer7 identifies over 145,000 exposed COLDFUSION servers, many of which are vulnerable due to open admin panels that bypass security measures and allow for arbitrary file system entries.
Both the Windows kernel vulnerability and the Adobe ColdFusion vulnerability have been added to the KEV catalog as actively exploited vulnerabilities. Federal agencies are required to secure their networks by January 6th according to directive BOD 22-01. CISA highlights the importance of addressing such vulnerabilities promptly, as they are frequently targeted by attackers and pose a significant risk to critical infrastructure.