CVE-2024-21302, CVE-2024-38202: Zero-Day Vulnerabilities Expose Windows Systems to “Unpatching” Attacks
At Black Hat 2024, security researcher Alon Leviev from SafeBreach security researcher unveiled two zero-day vulnerabilities (CVE-2024-21302, CVE-2024-38202) that could be exploited to reverse patches on fully updated Windows systems, reintroducing previously fixed security flaws.
The Threat
These vulnerabilities allow attackers with certain levels of access to replace current system files with older, vulnerable versions. This effectively “unpatches” the system, making it susceptible to attacks that were thought to be mitigated.
CVE-2024-21302 affects Windows systems supporting Virtualization Based Security (VBS), including specific Azure Virtual Machine SKUs. This vulnerability allows an attacker with administrative privileges to replace current Windows system files with outdated versions. By exploiting this flaw, attackers can reintroduce old vulnerabilities, bypass VBS security features, and exfiltrate data protected by VBS.
The vulnerability arises due to inadequate security checks, enabling attackers to swap secure files with obsolete, vulnerable ones. This can circumvent VBS protections, potentially leading to severe data breaches.
CVE-2024-38202 targets the Windows Backup system, allowing attackers with basic user privileges to reintroduce old vulnerabilities or bypass some VBS features. Successful exploitation requires additional interaction from a privileged user, such as performing a system restore.
This vulnerability involves tricking an administrator or a user with delegated permissions into restoring the system to a state that reintroduces previously mitigated vulnerabilities. This exploit undermines the security framework intended to protect Windows systems.
Mitigation and Response
Microsoft has acknowledged both vulnerabilities and released advisories with mitigation guidance. However, full patches are still under development and testing.
In the meantime, organizations are urged to follow Microsoft’s recommendations [1, 2], which include:
- For CVE-2024-21302: Configure audit settings to monitor file access and sensitive privilege use, and review Azure Active Directory risk reports for suspicious activity.
- For CVE-2024-38202: Audit users with backup and restore permissions, restrict access to backup files, and monitor for unauthorized modifications.
