CVE-2024-38122
📋 TL;DR
This vulnerability in Microsoft's Local Security Authority (LSA) server allows authenticated attackers to disclose sensitive information from system memory. It affects Windows systems where an attacker has valid credentials and can execute code locally. The vulnerability could expose security tokens, credentials, or other sensitive data.
💻 Affected Systems
- Microsoft Windows
📦 What is this software?
Windows 10 1507 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 21h2 by Microsoft
Windows 10 22h2 by Microsoft
Windows 11 21h2 by Microsoft
Windows 11 22h2 by Microsoft
Windows 11 23h2 by Microsoft
Windows 11 24h2 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
An attacker could extract sensitive authentication tokens, credentials, or security context information that could be used for privilege escalation or lateral movement within the network.
Likely Case
Information disclosure of security-related data that could aid in further attacks, but not direct system compromise.
If Mitigated
Limited impact with proper access controls and monitoring in place, as exploitation requires authenticated access.
🎯 Exploit Status
Exploitation requires authenticated access and local code execution. No public exploit code is currently available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply the latest Windows security updates from Microsoft's July 2024 Patch Tuesday or later
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38122
Restart Required: Yes
Instructions:
1. Open Windows Update settings. 2. Check for updates. 3. Install all available security updates. 4. Restart the system when prompted.
🔧 Temporary Workarounds
Restrict Local Access
windowsLimit local access to systems to only authorized users and implement least privilege principles
Enable Credential Guard
windowsEnable Windows Defender Credential Guard to protect LSA secrets
Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All
Enable-WindowsOptionalFeature -Online -FeatureName CredentialGuard
🧯 If You Can't Patch
- Implement strict access controls and monitor for unusual local authentication attempts
- Segment networks to limit lateral movement potential if credentials are compromised
🔍 How to Verify
Check if Vulnerable:
Check Windows version and compare against patched versions in Microsoft's advisory. Systems without July 2024 or later security updates are vulnerable.Check Version:
winverVerify Fix Applied:
Verify Windows Update history shows installation of July 2024 security updates or later, and check system version matches patched versions.📡 Detection & Monitoring
Log Indicators:
- Unusual LSA process activity
- Multiple failed authentication attempts followed by successful local logon
- Security log events related to LSA manipulation
Network Indicators:
- Not applicable - this is a local vulnerability
SIEM Query:
EventID=4624 AND LogonType=2 AND AccountName!="SYSTEM" | where suspicious patterns of local authentication