Windows Zero-Day Vulnerability CVE-2024-38193 Actively Exploited

ISGroup Cybersecurity

CVE-2024-38193 is a critical use-after-free vulnerability in the Windows afd.sys driver. This flaw, with a CVSS score of 7.8, allows attackers to gain privilege escalation and execute arbitrary code on vulnerable systems. Discovered by Gen Digital and further analyzed by Luca Ginex of Exodus Intelligence, the vulnerability is currently being actively exploited, with proof-of-concept (PoC) code publicly available on GitHub.

The Lazarus group has allegedly used this vulnerability to install malware, including the sophisticated FudModule, posing a significant threat to Windows systems globally.

Date2024-12-11 15:06:48
Information
  • Fix Available
  • Active Exploitation

Technical Summary

Understanding CVE-2024-38193

CVE-2024-38193 is a use-after-free vulnerability located in the Windows Registered I/O (RIO) socket extension, which optimizes socket programming by reducing system calls. The flaw originates from a race condition between the AfdRioGetAndCacheBuffer() and AfdRioDereferenceBuffer() functions within the afd.sys driver.

Steps for exploitation:

  • Heap Spraying: The attacker fills the non-paged pool with fake RIOBuffer structures and creates gaps to prepare the exploit.
  • Triggering the vulnerability: Using concurrent threads, the attacker unregisters buffers that are still in use, causing a use-after-free condition.
  • Privilege Escalation: The freed RIOBuffer structures are manipulated to achieve arbitrary writes, ultimately overwriting the SEPTOKEN_PRIVILEGES structure to obtain NT AUTHORITY\SYSTEM privileges.

Threat Actor Attribution

The Lazarus group, a known advanced persistent threat (APT), has exploited CVE-2024-38193 to deploy the FudModule malware. This malware, first detected in 2022 by AhnLab and ESET, is highly sophisticated and allows for unauthorized data access and system control.

Recommendations

Apply patches: Ensure all systems are updated with the August 2024 security updates.

[Callforaction-THREAT-Footer]