Researchers Detail Exploited Windows Kernel Vulnerability CVE-2024-38106

Recently, security researcher Sergey Kornienko from PixiePoint published an analysis and demonstration of a critical zero-day vulnerability in the Windows kernel, identified as CVE-2024-38106. This privilege escalation vulnerability is already being actively exploited by malicious actors, necessitating immediate action from both security professionals and users alike.

CVE-2024-38106, with a CVSS score of 7.0, resides within the Windows operating system kernel, specifically in the “ntoskrnl.exe” process. This process serves as a fundamental component of Windows, mediating the interaction between hardware and software, while also supporting the operation of numerous critical system services.

The vulnerability stems from a race condition—a scenario in which the outcome is contingent upon the sequence or timing of events. An attacker who successfully exploits this flaw can elevate their privileges to SYSTEM level, effectively granting them full control over the compromised device.

The vulnerability was responsibly disclosed to Microsoft, and a patch addressing CVE-2024-38106 has already been released. Kornienko also analyzed the patch and noted significant changes to two key functions: VslGetSetSecureContext() and NtSetInformationWorkerFactory(). These modifications were crucial to rectifying the race condition and enhancing system security.

Specifically, lock mechanisms were introduced for operations related to the Virtualization-Based Security (VBS) kernel mode, and flag checks were added in the NtShutdownWorkerFactory() process, reducing the likelihood of the vulnerability being exploited.

Kornienko also published a proof-of-concept (PoC) exploit demonstrating how attackers can leverage CVE-2024-38106 to escalate privileges. The release of this exploit underscores the potential risks for both home and corporate users if the vulnerability is not promptly mitigated.

According to PixiePoint, the vulnerability has been actively exploited by the North Korean hacker group known as Citrine Sleet. Documented attacks began by redirecting victims to the malicious site “voyagorclub[.]space”, presumably through social engineering techniques.

Upon visiting the site, the attackers utilized the CVE-2024-7971 remote code execution vulnerability to gain access to the targeted system. They then downloaded and executed code designed to exploit CVE-2024-38106, bypassing the sandbox and escalating privileges. This allowed them to deploy malicious software—the FudModule rootkit.

The particular danger posed by the FudModule rootkit lies in its use of Direct Kernel Object Manipulation (DKOM), a technique that enables attackers to alter Windows kernel security mechanisms, making detection and removal exceedingly difficult.

Microsoft swiftly released a patch for CVE-2024-38106 as part of the August 2024 update. However, the fact that the vulnerability had already been exploited in attacks prior to the patch’s release highlights the critical importance of timely patch installation and continuous vigilance in the realm of cybersecurity.