External risk intelligence

Windows Elevation of Privilege Vulnerability in Kernel-Mode Driver.

CVE advisoryKnown Exploit

CVE-2024-35250

A vulnerability in the Windows Kernel-Mode Driver allows a local attacker to escalate privileges. This could impact system integrity and data confidentiality, posing a business risk if an attacker gains unauthorized local access.A vulnerability in the Windows Kernel-Mode Driver allows a local attacker to gain elevated

1Halo Surface Signal

Microsoft Windows 10 1507

before 10.0.10240.20680before 10.0.14393.7070before 10.0.17763.5936before 10.0.19044.4529before 10.0.19045.4529before 10.0.22000.3019before 10.0.22621.3737before 10.0.22631.3737r2;...

External exposure likelihood

Halo Surface Signal score for CVE-2024-35250

This vulnerability resides within a Windows kernel-mode driver, which requires local access to the operating system to exploit. It is not exposed to the public internet and cannot be reached remotely without prior local access to the target host.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability exists within the Windows Kernel-Mode Driver. This flaw permits an attacker with local access to escalate their privileges on the affected system. The impact could involve unauthorized access to sensitive data, disruption of critical business operations, or compromise of system integrity.

  • Vulnerable Windows component
  • Local privilege escalation
  • Compromised system integrity

Attack Path

How an attacker could exploit the issue

This vulnerability allows an attacker with local access to a Windows system to escalate their privileges. The attack targets a flaw in the Windows Kernel-Mode Driver, enabling an attacker to gain higher levels of control over the affected system. This could lead to unauthorized access to sensitive data or further compromise of the system. The exploitation requires the attacker to have an initial foothold on the local machine.

  • Local access to a system is required.
  • Attacker exploits a driver vulnerability.
  • Privilege escalation occurs.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability affects Windows operating systems, allowing a local attacker to gain elevated privileges. Exploitation requires direct access to the affected system, meaning an attacker cannot exploit this remotely over the internet. The potential for privilege escalation poses a significant risk to the integrity and confidentiality of an organization's data.

  • Attackers need local access.
  • Exploitation is difficult for remote attackers.
  • Business risk is high.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability impacts the Windows Kernel-Mode Driver, potentially allowing a local attacker to elevate privileges. Organizations should take immediate steps to identify and address this risk to maintain system integrity and security.

  • Find affected assets.
  • Reduce exposure or isolate risk.
  • Fix, verify, and monitor.

Frequently asked questions

What is the Windows Kernel-Mode Driver and its role in system security?

The Windows Kernel-Mode Driver is a core operating system component operating at the highest privilege level. It manages hardware and low-level system functions, facilitating direct software-to-hardware interaction.

What type of weakness does CVE-2024-35250 represent and what is its impact?

CVE-2024-35250 is an elevation of privilege vulnerability. This weakness allows an attacker with some system access to gain higher permissions, potentially leading to full system compromise.

How does an attacker exploit CVE-2024-35250, and what is the scope of the attack?

Exploitation of this vulnerability requires local access to the affected system. An attacker leverages a flaw in the Windows Kernel-Mode Driver to escalate privileges. The scope is limited to the system the attacker has initial access to, as it cannot be exploited remotely.

What is the significance of CVE-2024-35250 for organizations, as highlighted by CISA's Halo Surface Signal?

Halo classifies CVE-2024-35250 as 'Very unlikely' to be exploited remotely because it requires local access to the operating system. However, it remains a high-severity vulnerability (CVSS 7.8) that impacts Windows Kernel-Mode Driver and can lead to privilege escalation.

What practical steps should organizations take to respond to this vulnerability?

Organizations should identify all affected Windows assets, reduce exposure or isolate the risk, and prioritize applying vendor-supplied fixes. Verification and ongoing monitoring are crucial to ensure system integrity and security.

References

Sources and related resources

Primary sources: NVD, CVE.org, CISA KEV.

NVDPublished Modified