Arctic Wolf Security Bulletin

< BACK TO BLOG

CVE-2024-26234 for Windows and CVE-2024-29053 for Defender for IOT highlighted in Microsoft’s April 2024 Patch Tuesday

Share :

On 9 April 2024, Microsoft published their April 2024 security updates with patches for 150 vulnerabilities. Among these vulnerabilities, Arctic Wolf has highlighted five vulnerabilities in this bulletin, which have either been exploited in the wild or labeled as critical severity by Microsoft. 

Notably, of the 150 patched vulnerabilities, 67 were remote code execution vulnerabilities. However, due to various prerequisites for exploitation, the vulnerability severities did not rise to critical severity. 

Impacted Product #1: Windows

CVE-2024-26234  CVSS: 6.7 – Medium 

MS Severity: Important 

 Exploitation Detected 
Proxy Driver Spoofing Vulnerability – In at least one intrusion, threat actors leveraged this vulnerability to abuse Microsoft Windows Hardware Compatibility Program (WHCP) and deploy a malicious executable signed with a valid Microsoft Hardware Publisher Certificate. 
CVE-2023-24932  CVSS: 6.7 – Medium 

MS Severity: Important 

 Exploitation Detected 

Secure Boot Security Feature Bypass Vulnerability – An exploited Secure Boot Security Feature Bypass vulnerability. A threat actor must have physical access or admin rights to install an affected boot policy to the target system. Successful exploitation, which requires admin credentials on the device, could bypass Secure Boot. Microsoft disclosed that this vulnerability was used by threat actors to install the Black Lotus UEFI bootkit. 

This update coincides with Microsoft’s update schedule and their evaluation phase, adding three additional boot manager mitigation controls. 

  • A control to deploy the “Windows UEFI CA 2023” certificate to the Secure Boot DB to add trust for Windows boot managers signed by this certificate. Note that the “Windows UEFI CA 2023” certificate might have been installed by an earlier Windows update. 
  • A control to deploy a boot manager signed by the “Windows UEFI CA 2023” certificate. 
  • A control to add the “Windows Production PCA 2011” to the Secure Boot DBX which will block all Windows boot managers signed by this certificate. 

Additional updates tied to CVE-2023-24932: 

  • The ability to enable mitigation deployment in stages independently to allow more control in deploying the mitigations in your environment based on your needs. 
  • The mitigations are interlocked so that they cannot be deployed in the incorrect order. 
  • Additional events to know the status of devices as they apply the mitigations. See KB5016061 for more details on the events. 

Based on Microsoft’s update schedule, the next update and final deployment phase will come on July 9, 2024, or later. 

Impacted Product #2: Microsoft Defender for IoT

CVE-2024-29053  CVSS: 8.8 – High 

MS Severity: Critical 

 No Exploitation Detected 
Microsoft Defender for IoT Remote Code Execution Vulnerability – Path traversal vulnerability that could lead to remote code execution. An authenticated threat actor with access to the file upload feature could successfully exploit this vulnerability and obtain remote code execution by uploading malicious files to sensitive locations on the vulnerable server. 
CVE-2024-21323  CVSS: 8.8 – High 

MS Severity: Critical 

 No Exploitation Detected 
Microsoft Defender for IoT Remote Code Execution Vulnerability – Path traversal vulnerability that could lead to remote code execution. An authenticated threat actor, with permissions to send update packages to the Defender IoT sensor, could successfully exploit this vulnerability and obtain remote code execution by sending a tar file to the Defender IoT sensor. After the extraction process completed, the attacker could send unsigned update packages and overwrite any file. 

 

CVE-2024-21322  CVSS: 7.2 – High 

MS Severity: Critical 

 No Exploitation Detected 
Microsoft Defender for IoT Remote Code Execution Vulnerability – Command injection vulnerability that could lead to remote code execution. Due to improper neutralisation of special elements used in a command, a threat actor with administrator privileges to the web application, could leverage command injection to obtain remote code execution. 

 

Arctic Wolf will follow its standard internal processes to assess the impact of the newly reported vulnerabilities within its own environment and if impacted, will address them within the established remediation timelines in our Security Patching Policy.  

Recommendations for CVE-2024-26234 for Windows and CVE-2024-29053

Recommendation: Apply Security Updates to Impacted Products

CVE-2023-24932 was previously patched in a separate Patch Tuesday (May 2023). However, Microsoft added Windows 11 version 23H2 to the updated products list. Arctic Wolf has elected not to add the May 2023 reference article and update links to this table to ensure clarity around patching the most recent vulnerabilities reported by Microsoft. 

Product  Vulnerability  Reference Article  Update 
Windows Server 2022, 23H2 Edition  CVE-2023-24932, CVE-2024-26234  5036910  Security Update 
Windows Server 2022  CVE-2023-24932, CVE-2024-26234  5036909  Security Update 
Windows Server 2019  CVE-2023-24932, CVE-2024-26234  5036896   Security Update 
Windows Server 2016  CVE-2023-24932, CVE-2024-26234  5036899  Security Update 
Windows Server 2012 R2  CVE-2023-24932, CVE-2024-26234  5036960  Monthly Rollup 
Windows Server 2012  CVE-2023-24932, CVE-2024-26234  5036969  Monthly Rollup 
Windows Server 2008 Service Pack 2  CVE-2023-24932, CVE-2024-26234  5036932 

5036950 

 Monthly Rollup 

Security Only 
Windows Server 2008 R2 Service Pack 1  CVE-2023-24932, CVE-2024-26234  5036967 

5036922 

 Monthly Rollup 

Security Only 
Windows 11 version 21H2  CVE-2023-24932, CVE-2024-26234  5036894  Security Update 
Windows 11 Version 23H2  CVE-2023-24932, CVE-2024-26234  5036893  Security Update 
Windows 11 Version 22H2  CVE-2023-24932, CVE-2024-26234  5036893  Security Update 
Windows 10  CVE-2023-24932, CVE-2024-26234  5036925  Security Update 
Windows 10 Version 22H2  CVE-2023-24932, CVE-2024-26234  5036892  Security Update 
Windows 10 Version 21H2  CVE-2023-24932, CVE-2024-26234  5036892  Security Update 
Windows 10 Version 1809  CVE-2023-24932, CVE-2024-26234  5036896   Security Update 
Windows 10 Version 1607  CVE-2023-24932, CVE-2024-26234  5036899  Security Update 
Microsoft Defender for IoT  CVE-2024-21322, CVE-2024-21323, CVE-2024-29053.  Release Notes  Security Update 

 

Additional steps are required to mitigate CVE-2023-24932. 

  • Microsoft added Windows 11 version 23H2 for x64-based systems and Windows 11 version 23H2 for ARM-based systems to the update table because the April 2024 security updates provide the latest mitigations. These mitigations are off by default. Customers who should take additional steps to implement security mitigations for a publicly disclosed Secure Boot bypass leveraged by the BlackLotus UEFI bootkit and who would like to take a proactive security stance or to begin preparing for the rollout, please refer to KB5025885. 

Note: Please follow your organisation’s patching and testing guidelines to avoid any operational impact. 

References 

See other important security bulletins from Arctic Wolf.

Picture of Andres Ramos

Andres Ramos

Andres Ramos is a Threat Intelligence Researcher at Arctic Wolf with a strong background in tracking emerging threats and producing actionable intelligence for both technical and non-technical stakeholders. He has a diverse background encompassing various domains of cyber security, holds a degree in Cybersecurity Engineering, and is a CISSP.
Share :
Table of Contents
Categories

Continue Reading