CVE-2024-38198

Q: What is the severity of CVE-2024-38198?

CVE-2024-38198 has a CVSS score of 7.5 (HIGH). This vulnerability allows attackers to gain elevated privileges on Windows systems by exploiting the Print Spooler service. Attackers could execute arbitrary code with SYSTEM privileges. All Windows systems with Print Spooler enabled are potentially affected.

7.5 HIGH

📋 TL;DR

This vulnerability allows attackers to gain elevated privileges on Windows systems by exploiting the Print Spooler service. Attackers could execute arbitrary code with SYSTEM privileges. All Windows systems with Print Spooler enabled are potentially affected.

💻 Affected Systems

Products:

Windows Print Spooler

Versions: Multiple Windows versions (check Microsoft advisory for specifics)

Operating Systems: Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022

Default Config Vulnerable: ⚠️ Yes

Notes: Systems with Print Spooler service enabled are vulnerable by default. Print Spooler is enabled by default on most Windows installations.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with SYSTEM privileges, enabling installation of malware, data theft, and lateral movement across the network.

🟠

Likely Case

Local privilege escalation allowing attackers to gain administrative control of the affected system.

🟢

If Mitigated

Limited impact if Print Spooler service is disabled or proper network segmentation is in place.

🌐 Internet-Facing: LOW (Print Spooler typically not exposed to internet)

🏢 Internal Only: HIGH (Attackers with initial access can escalate privileges internally)

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires local access to the system. No public exploit code available at this time.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Microsoft's monthly security updates for specific KB numbers

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38198

Restart Required: Yes

Instructions:

1. Apply latest Windows security updates from Microsoft. 2. Restart the system. 3. Verify Print Spooler service is updated.

🔧 Temporary Workarounds

Disable Print Spooler Service

windows

Disables the vulnerable Print Spooler service to prevent exploitation

sc stop spooler
sc config spooler start= disabled

Restrict Print Spooler Access

windows

Configure firewall rules to restrict access to Print Spooler service

netsh advfirewall firewall add rule name="Block Print Spooler" dir=in action=block protocol=TCP localport=135,445

🧯 If You Can't Patch

Disable Print Spooler service on non-essential systems
Implement network segmentation to isolate systems with Print Spooler enabled

🔍 How to Verify

Check if Vulnerable:

Check if Print Spooler service is running and system has not been patched with the relevant security update

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify Windows Update history contains the relevant security patch and Print Spooler service version is updated

📡 Detection & Monitoring

Log Indicators:

Unusual Print Spooler service restarts
Suspicious process creation from spoolsv.exe
Failed authentication attempts to Print Spooler

Network Indicators:

Unusual RPC traffic to port 135/445
SMB connections to Print Spooler shares

SIEM Query:

EventID=7036 AND ServiceName="Spooler" AND (State="started" OR State="stopped")

📊 Metadata

CVE ID: CVE-2024-38198

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-345

Published: August 13, 2024

Last Updated: August 15, 2024

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38198 Patch,Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 1507 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 21h2 by Microsoft

Windows 10 22h2 by Microsoft

Windows 11 21h2 by Microsoft

Windows 11 22h2 by Microsoft

Windows 11 23h2 by Microsoft

Windows 11 24h2 by Microsoft

Windows Server 2008 by Microsoft