On September of September, security researcher Sergey Kornienko from Pixiepoint published an analysis and demonstration of a critical zero-day vulnerability in the Windows kernel, known as CVE-2024-38106. This vulnerability is being exploited by attackers, highlighting the need for immediate action from security specialists and users.
CVE-2024-38106 (CVSS score: 7.0) is located in the Windows operating system kernel, specifically in the NTOSKRNL.exe process. The kernel plays a vital role in Windows, facilitating interaction between hardware and software, as well as supporting various system services.
The vulnerability is related to a Race Condition, where the outcome depends on the sequence or timing of events. By exploiting this vulnerability, an attacker can elevate their privileges to System level, essentially gaining full control of the compromised device.
Microsoft has taken responsibility for the vulnerability, and an update addressing CVE-2024-38106 has been released. Kornienko also analyzed the update and identified significant changes in two key functions: VSLGETSECECURECONTEXT() and NTSETINFORMATIONWORKATORY(). These changes were essential to eliminate the Race Condition and enhance system security.
Specifically, new locking mechanisms for operations related to the secure virtualization-based security (VBS) kernel were introduced, and flags in the NTSHUTDOWNWORKERFACTORY() were added to decrease the likelihood of the vulnerability being exploited.
Kornienko also mentioned the Proof of Concept-
Exploits are typically categorized based on the type of vulnerability they exploit, whether they are local or remote, and the outcome of the exploit (e.g., EOP, DOS, Spoofing). One method used to exploit zero-day vulnerabilities is Exploit-As-A-Service.