The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning to U.S. federal agencies, urging them to fortify their systems against persistent threats linked to a critical Windows kernel vulnerability, identified as CVE-2024-35250. This particular security flaw arises from an untrusted pointer dereference issue, enabling local attackers to elevate their privileges to SYSTEM level through relatively simple attacks that do not necessitate user interaction.
Details of the Vulnerability
Although Microsoft refrained from providing extensive details in a security advisory released in June, the DEVCORE Research Team, which discovered the vulnerability and subsequently reported it to Microsoft via Trend Micro’s Zero Day Initiative, has identified the affected component as the Microsoft Kernel Streaming Service (MSKSSRV.SYS). Notably, DEVCORE successfully exploited this privilege escalation flaw to compromise a fully updated Windows 11 system during the recent Pwn2Own Vancouver 2024 hacking competition.
In response to the discovery, Microsoft issued a patch for the vulnerability during the June 2024 Patch Tuesday. However, proof-of-concept exploit code surfaced on GitHub four months later, raising concerns about the potential for exploitation.
According to Microsoft, “An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.” The advisory, however, has yet to be revised to reflect that the vulnerability is currently under active exploitation.
[embedded content]
In addition to the Windows vulnerability, CISA has also flagged a critical Adobe ColdFusion vulnerability, tracked as CVE-2024-20767. This flaw, which Adobe addressed in March, stems from improper access control, allowing unauthenticated remote attackers to access sensitive system files. SecureLayer7 reports that exploiting ColdFusion servers with exposed admin panels could enable attackers to bypass security measures and execute arbitrary file system writes.
The Fofa search engine indicates that over 145,000 ColdFusion servers are exposed to the Internet, although identifying those with accessible admin panels remains a challenge.
Both vulnerabilities have been added to CISA’s Known Exploited Vulnerabilities catalog, with a designation of active exploitation. Under the Binding Operational Directive (BOD) 22-01, federal agencies are required to secure their networks by January 6, within a three-week timeframe.
CISA emphasizes that “These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.” While the KEV catalog primarily serves as an alert for federal agencies to address security flaws promptly, private organizations are also encouraged to prioritize the mitigation of these vulnerabilities to thwart ongoing attacks.
A Microsoft spokesperson was not immediately available for comment when approached by BleepingComputer for further insights regarding the real-time exploitation of CVE-2024-35250.
