Cyber Security News

Windows 11 Privilege Escalation Vulnerability Lets Attackers Execute Code to Gain Access

Microsoft has swiftly addressed a critical security vulnerability affecting Windows 11 (version 23H2), which could allow local attackers to escalate privileges to the SYSTEM level.

Security researcher Alex Birnberg showcased the exploit during the renowned TyphoonPWN 2024 cybersecurity competition, securing third place for his demonstration of the flaw.

TyphoonPWN, one of the premier cybersecurity competitions, brings together security researchers from around the globe to expose vulnerabilities in widely used software.

Alex Birnberg’s successful demonstration of CVE-2024-30085 highlights the importance of such events in uncovering and addressing serious security flaws.

Details of the Vulnerability

The vulnerability, officially tracked as CVE-2024-30085, resides in the Cloud Files Mini Filter Driver (cldflt.sys).

The issue stems from improper validation of user-supplied data when parsing reparse points.

Specifically, the driver fails to validate the size of the data before copying it to a fixed-length heap-based buffer.

By exploiting this, an attacker could leverage the vulnerability to overwrite memory and execute code in the context of System, granting them elevated privileges.

In Windows 11, version 23H2, attackers must first gain the ability to execute low-privileged code on the targeted system to exploit this flaw, significantly escalating the risk in environments where users already have limited system access.

Independent security researchers analyzed the vulnerability in detail, identifying its root cause in the function HsmIBitmapNORMALOpen in the Windows Cloud Files Mini Filter Driver.

The improper handling of reparse point bitmaps allows attackers to bypass crucial checks and introduce malicious data into the system’s memory.

The flaw occurs in scenarios where the length verification of reparse data is skipped under specific conditions during file operations. This improper handling can be exploited to overwrite memory, leading to privilege escalation.

The exploit, demonstrated at TyphoonPWN 2024, involved creating a carefully crafted reparse point to exploit the vulnerable function and achieve SYSTEM-level privileges.

The demonstration earned Alex Birnberg third place in the competition, highlighting the creativity and technical depth of his analysis.

Best Practices:

  • Restrict administrative access to trusted users.
  • Regularly update all Windows systems with the latest patches.
  • Monitor system activity for unusual behavior, especially around file operations and reparse points.
  • Employ intrusion detection systems (IDS) to monitor for signs of exploits.

Organizations should also audit their use of the Cloud Files Mini Filter Driver and ensure that external access to systems requiring elevated privileges is minimized.

This recent discovery underscores the critical importance of proactive cybersecurity practices. Microsoft’s swift response in patching the vulnerability reflects the industry’s commitment to safeguarding users. All affected users should prioritize system updates to ensure their devices remain secure from this and other vulnerabilities.

Following the disclosure by Birnberg, Microsoft promptly released a patch to mitigate the vulnerability. Users are strongly urged to update their systems by applying the latest security update via the official Microsoft Update Guide:

Users are advised to immediately install the recent Windows update, which contains the patch for CVE-2024-30085.

Balaji

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

Attackers Exploit Microsoft Entra Billing Roles to Escalate Privileges in Organizational Environments

A startling discovery by BeyondTrust researchers has unveiled a critical vulnerability in Microsoft Entra ID…

1 day ago

Threat Actors Exploit Google Apps Script to Host Phishing Sites

The Cofense Phishing Defense Center has uncovered a highly strategic phishing campaign that leverages Google…

1 day ago

Dadsec Hacker Group Uses Tycoon2FA Infrastructure to Steal Office365 Credentials

Cybersecurity researchers from Trustwave’s Threat Intelligence Team have uncovered a large-scale phishing campaign orchestrated by…

1 day ago

Beware: Weaponized AI Tool Installers Infect Devices with Ransomware

Cisco Talos has uncovered a series of malicious threats masquerading as legitimate AI tool installers,…

1 day ago

Pure Crypter Uses Multiple Evasion Methods to Bypass Windows 11 24H2 Security Features

Pure Crypter, a well-known malware-as-a-service (MaaS) loader, has been recognized as a crucial tool for…

1 day ago

Attackers Exploit Microsoft Entra Billing Roles to Escalate Privileges

A recent discovery by security researchers at BeyondTrust has revealed a critical, yet by-design, security…

1 day ago