CVE-2024-21338
📋 TL;DR
CVE-2024-21338 is a Windows kernel elevation of privilege vulnerability that allows authenticated attackers to execute arbitrary code with SYSTEM privileges. This affects Windows systems where an attacker has already gained initial access. The vulnerability is being actively exploited by threat actors including the Lazarus group.
💻 Affected Systems
- Microsoft Windows
📦 What is this software?
Windows 10 1809 by Microsoft
Windows 10 21h2 by Microsoft
Windows 10 22h2 by Microsoft
Windows 11 21h2 by Microsoft
Windows 11 22h2 by Microsoft
Windows 11 23h2 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with kernel-level persistence, installation of rootkits, credential theft, and lateral movement across the network.
Likely Case
Privilege escalation from standard user/admin to kernel-level SYSTEM privileges, enabling installation of malware, disabling security controls, and maintaining persistence.
If Mitigated
Limited impact if proper endpoint protection, application control, and least privilege principles are enforced, though kernel-level access remains dangerous.
🎯 Exploit Status
Exploit requires authenticated access and driver manipulation; actively exploited by advanced persistent threats.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: February 2024 security updates (KB5034765 for Windows 10, KB5034768 for Windows 11)
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21338
Restart Required: Yes
Instructions:
1. Apply February 2024 Windows security updates via Windows Update. 2. For enterprise environments, deploy through WSUS or Microsoft Endpoint Configuration Manager. 3. Restart systems after patch installation.
🔧 Temporary Workarounds
Block vulnerable drivers
windowsUse Windows Defender Application Control or similar solutions to block untrusted drivers.
Configure Windows Defender Application Control policies to allow only signed drivers
Enable Hypervisor-protected Code Integrity
windowsEnable HVCI to protect against driver-based attacks.
Enable via Group Policy: Computer Configuration > Administrative Templates > System > Device Guard > Turn On Virtualization Based Security
🧯 If You Can't Patch
- Implement strict application control policies to prevent unauthorized driver loading
- Enforce least privilege access and monitor for privilege escalation attempts
🔍 How to Verify
Check if Vulnerable:
Check if February 2024 security updates are installed via 'systeminfo' command or Windows Update history.Check Version:
wmic qfe list | findstr KB5034765Verify Fix Applied:
Verify KB5034765 (Windows 10) or KB5034768 (Windows 11) is installed in Installed Updates.📡 Detection & Monitoring
Log Indicators:
- Event ID 7045: Service installation events for suspicious drivers
- Event ID 4697: Service installation in security logs
- Unexpected driver loading events
Network Indicators:
- Unusual outbound connections following driver installation
- Command and control traffic from system processes
SIEM Query:
source="windows" event_id=7045 OR event_id=4697 | where service_name contains suspicious_driver_name🔗 References
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21338
- https://decoded.avast.io/janvojtesek/lazarus-and-the-fudmodule-rootkit-beyond-byovd-with-an-admin-to-kernel-zero-day/
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21338
- https://packetstorm.news/files/id/190586/
- https://www.exploit-db.com/exploits/52275
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-21338
