Our new CVE tracking app has been working hard these daysfinding things our poor human eyes were unable or too tired to see. In this caseit alerted us about a vulnerability that was described in an article about another vulnerability we had long since patched.
CVE-2024-43626a privilege escalation vulnerability in Windows Telephony Servicewas described in an article by Đào Tuấn Linh of Starlabs. The article was primarily about CVE-2024-26230which we had patched in August 2024but it also mentioned a related issue CVE-2024-43626reportedly co-analyzed by Chen Le Qi of Starlabs. While the proof-of-concept was only provided for the "main" vulnerabilitywe were able to modify it to trigger the secondary one.
The Vulnerability
The vulnerability is in the way Windows Telephony Service reads some registry value to the memorywhereby such value could be loaded without the trailing zero terminator. Should this happena subsequent _wcsupr operation would upper-case a string beyond the end of the buffer - potentially corrupting the memory there in such a way as to lead to arbitrary code execution.
Microsoft's Patch
Microsoft's patch modified the vulnerable code so that it correctly reads the registry value and makes sure it is zero-terminated.
Our Patch
Our patch is logically identical to Microsoft's.
Let's see our patch in action. Firsta low-privileged user launches the POC while 0patch is disabledwhich results in crashing the Telephony Service. With 0patch enabledthe POC fails to crash the service.
Micropatch Availability
Micropatches were written for the following security-adopted Windows versions:
- Windows 11 v21H2 - fully updated
- Windows 10 v21H2 - fully updated
- Windows 10 v21H1 - fully updated
- Windows 10 v20H2 - fully updated
- Windows 10 v2004 - fully updated
- Windows 10 v1909 - fully updated
- Windows 10 v1809 - fully updated
- Windows 10 v1803 - fully updated
- Windows 7 - fully updated with no ESUESU 1ESU 2 or ESU 3
- Windows Server 2008 R2 - fully updated with no ESUESU 1ESU 2ESU 3 or ESU 4
- Windows Server 2012 - fully updated with no ESU or ESU 1
- Windows Server 2012 R2 - fully updated with no ESU or ESU 1
Micropatches have already been distributed toand applied onall affected online computers with 0patch Agent in PRO or Enterprise accounts (unless Enterprise group settings prevented that).
Vulnerabilities like these get discovered on a regular basisand attackers know about them all. If you're using Windows that aren't receiving official security updates anymore0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things.
We'd like to thank Đào Tuấn Linh and Chen Le Qi of Starlabs for discovering this vulnerability and publishing their analysiswhich allowed us to create a patch and protect 0patch users against this issue.
If you're new to 0patchcreate a free account in 0patch Central, start a free trialthen install and register 0patch Agent. Everything else will happen automatically. No computer reboot will be needed.
Did
you know 0patch security-adopted Windows 10 and Office 2016 and 2019 when they went out of
support this monthallowing you to keep using them for at least 3 more years (5 years for Windows 10)? Read more about it here and here.
To learn more about 0patchplease visit our Help Center.
No comments:
Post a Comment