CVE-2024-38159 – This vulnerability allows remote attackers to e... (How to Fix)

Q: What is the severity of CVE-2024-38159?

CVE-2024-38159 has a CVSS score of 9.1 (CRITICAL). This vulnerability allows remote attackers to execute arbitrary code on Windows systems with Network Virtualization enabled by exploiting a use-after-free memory corruption flaw. It affects Windows servers and workstations running vulnerable versions of Windows 10/11 and Windows Server 2016/2019/2022. Attackers can potentially gain SYSTEM-level privileges on affected systems.

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on Windows systems with Network Virtualization enabled by exploiting a use-after-free memory corruption flaw. It affects Windows servers and workstations running vulnerable versions of Windows 10/11 and Windows Server 2016/2019/2022. Attackers can potentially gain SYSTEM-level privileges on affected systems.

💻 Affected Systems

Products:

Microsoft Windows

Versions: Windows 10 versions 21H2 and 22H2, Windows 11 versions 21H2, 22H2, and 23H2, Windows Server 2016, 2019, and 2022

Operating Systems: Windows

Default Config Vulnerable: ✅ No

Notes: Requires Windows Network Virtualization feature to be enabled and configured. Not vulnerable by default on most systems.

📦 What is this software?

Windows 10 1607 by Microsoft

View all CVEs affecting Windows 10 1607 →

Windows Server 2016 by Microsoft

View all CVEs affecting Windows Server 2016 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with SYSTEM privileges leading to data theft, ransomware deployment, lateral movement across the network, and persistent backdoor installation.

🟠

Likely Case

Initial foothold on corporate networks leading to credential harvesting, data exfiltration, and deployment of additional malware payloads.

🟢

If Mitigated

Limited impact with proper network segmentation and endpoint protection blocking exploitation attempts.

🌐 Internet-Facing: MEDIUM - Requires Windows Network Virtualization to be enabled and configured, which is less common on internet-facing systems.

🏢 Internal Only: HIGH - Enterprise networks with Windows virtualization features enabled are prime targets for lateral movement and privilege escalation.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires network access to systems with Windows Network Virtualization enabled. No public exploit code available at this time.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: July 2024 security updates (KB5040442 for Windows 11, KB5040434 for Windows 10, etc.)

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38159

Restart Required: Yes

Instructions:

1. Apply July 2024 Windows security updates via Windows Update. 2. For enterprise environments, deploy updates through WSUS or SCCM. 3. Restart affected systems after patch installation.

🔧 Temporary Workarounds

Disable Windows Network Virtualization

windows

Temporarily disable the vulnerable feature if not required for business operations

Disable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V-NetworkVirtualization

Network Segmentation

all

Isolate systems with Windows Network Virtualization enabled from untrusted networks

🧯 If You Can't Patch

Implement strict network access controls to limit traffic to systems with Windows Network Virtualization enabled
Deploy endpoint detection and response (EDR) solutions with memory protection capabilities

🔍 How to Verify

Check if Vulnerable:

Check if Windows Network Virtualization is enabled: Get-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V-NetworkVirtualization

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify July 2024 security updates are installed: Get-HotFix | Where-Object {$_.HotFixID -like "KB5040*"}

📡 Detection & Monitoring

Log Indicators:

Windows Event Logs: Security ID 4625 (failed logon attempts), System logs showing Hyper-V Network Virtualization service crashes

Network Indicators:

Unusual network traffic to/from Hyper-V Network Virtualization components, unexpected RPC connections

SIEM Query:

EventID=4625 AND ProcessName="*Hyper-V*" OR EventID=1000 AND Source="Hyper-V-NetworkVirtualization"

📊 Metadata

CVE ID: CVE-2024-38159

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-416

Published: August 13, 2024

Last Updated: August 16, 2024

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38159 Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-38159, you might also want to check these: