CVE-2024-38136
📋 TL;DR
This vulnerability allows an authenticated attacker to exploit the Windows Resource Manager PSM Service Extension to gain SYSTEM-level privileges on a Windows system. It affects Windows servers and workstations where the attacker already has local access. The vulnerability stems from a use-after-free issue (CWE-416) in the service extension.
💻 Affected Systems
- Microsoft Windows
📦 What is this software?
Windows 10 1809 by Microsoft
Windows 10 21h2 by Microsoft
Windows 10 22h2 by Microsoft
Windows 11 21h2 by Microsoft
Windows 11 22h2 by Microsoft
Windows 11 23h2 by Microsoft
Windows 11 24h2 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
An attacker with initial access could escalate to SYSTEM privileges, enabling complete system compromise, credential theft, persistence installation, and lateral movement across the network.
Likely Case
An authenticated attacker with standard user privileges could escalate to SYSTEM to install malware, disable security controls, or access sensitive data on the local system.
If Mitigated
With proper patch management and least privilege principles, the impact is limited to isolated systems where attackers already have footholds.
🎯 Exploit Status
Requires authenticated access and local execution; exploitation involves triggering a use-after-free condition.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply the July 2024 Windows security updates (or later) from Microsoft.
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38136
Restart Required: Yes
Instructions:
1. Open Windows Update Settings. 2. Click 'Check for updates'. 3. Install all available security updates. 4. Restart the system when prompted.
🔧 Temporary Workarounds
Disable Windows Resource Manager PSM Service Extension
windowsDisables the vulnerable component but may impact functionality.
sc config "Windows Resource Manager PSM Service Extension" start= disabled
sc stop "Windows Resource Manager PSM Service Extension"
🧯 If You Can't Patch
- Implement strict least privilege access controls to limit initial attacker access.
- Monitor for suspicious privilege escalation attempts using endpoint detection tools.
🔍 How to Verify
Check if Vulnerable:
Check if the July 2024 Windows security update is not installed via 'winver' or Windows Update history.Check Version:
winverVerify Fix Applied:
Verify the July 2024 Windows security update is installed in Windows Update history.📡 Detection & Monitoring
Log Indicators:
- Event ID 4688 (process creation) showing unexpected SYSTEM privilege escalation from user accounts.
- Security log entries for unauthorized service manipulation.
Network Indicators:
- None - this is a local exploit.
SIEM Query:
EventID=4688 AND NewProcessName="*" AND SubjectUserName!="SYSTEM" AND TokenElevationType="%%1938"