CVE-2024-38202 - Elevation of Privilege Vulnerability in Windows Backup
Microsoft was recently alerted by a security researcher of an elevation of privilege vulnerability in Windows Backup, potentially enabling an attacker with basic user privileges to reintroduce previously mitigated vulnerabilities or circumvent some features of Virtualization Based Security (VBS). To exploit this vulnerability, an attacker must deceive or persuade an Administrator or a user with delegated permissions into performing a system restore, which inadvertently triggers the vulnerability. Microsoft is currently developing a security update to address this issue but it has not been released yet.
Exploit Details
The vulnerability in Windows Backup allows attackers with basic user privileges to exploit the elevation of privilege by tricking an Administrator or a user with delegated permissions into performing a system restore. The vulnerability is particularly concerning as it can be exploited to reintroduce previously mitigated vulnerabilities or bypass some features of VBS.
As previously mentioned, a public presentation discussing this vulnerability was held at BlackHat on August 7, 2024. Although the presentation was coordinated with Microsoft, it is expected to have an impact on the threat landscape. Consequently, Microsoft advises its customers to follow the recommended actions provided below and to be vigilant until a security update is available.
Original References
1. Microsoft Technical Security Notifications: This link provides instructions on how to subscribe to Security Update Guide notifications to receive alerts when new information is available: Microsoft Technical Security Notifications
2. Security Update Guide Notification System News: This link offers a guide on how to create a profile to receive updates on Microsoft's Security Response Center: Create your profile now - Microsoft Security Response Center
Recommended Actions
Although the following recommendations do not completely neutralize the vulnerability, they can help in reducing the risk of exploitation until an official security update is released by Microsoft:
1. Configure the "Audit Object Access" settings to monitor attempts to access files, such as handle creation, read/write operations, or modifications to security descriptors. For more information, refer to the following tutorials:
- Audit File System - Windows 10 | Microsoft Learn
- Apply a basic audit policy on a file or folder - Windows 10 | Microsoft Learn
2. Audit users with permission to perform Backup and Restore operations to ensure only appropriate users can do so:
- Audit: Audit the use of Backup and Restore privilege (Windows 10) - Windows 10 | Microsoft Learn
3. Establish an Access Control List or Discretionary Access Control Lists to restrict access or modification of Backup files and perform Restore operations to the appropriate users, such as administrators only:
- Access Control overview | Microsoft Learn
- Discretionary Access Control Lists (DACL)
4. Monitor sensitive privileges used to identify access, modification, or replacement of Backup related files, as this can help indicate attempts to exploit this vulnerability:
- Audit Sensitive Privilege Use - Windows 10 | Microsoft Learn
Once the security update is released by Microsoft, customers will be notified via the Security Update Guide notifications. Be sure to subscribe and stay informed.
Timeline
Published on: 08/08/2024 02:15:38 UTC
Last modified on: 08/08/2024 20:45:24 UTC