CISA Lists Windows Kernel Bug Exploited by Lazarus Group in its Known Exploited Vulnerabilities Catalog

March 5, 2024

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has included the CVE-2024-21338 Microsoft Windows Kernel vulnerability in its Known Exploited Vulnerabilities catalog. This vulnerability, which can be exploited to gain system privileges, was discovered by an Avast researcher, Jan Vojtěšek.

An attacker would need to initially log in to the system and then execute a specially crafted application to exploit the vulnerability and take control of the system. The North Korea-linked Lazarus APT group has been observed using this exploit to gain kernel-level access and disable security software. In previous attacks, the group achieved similar results using the BYOVD (Bring Your Own Vulnerable Driver) techniques.

The Lazarus group exploited CVE-2024-21338 to directly manipulate kernel objects in an updated version of their FudModule rootkit. The flaw resides within the IOCTL (Input and Output Control) dispatcher of the driver appid.sys, a core component of the AppLocker application used to control which apps and files users can run. By manipulating the IOCTL dispatcher, the group could execute arbitrary code on the target system, bypassing security measures.

According to the Binding Operational Directive (BOD) 22-01, federal agencies must address the identified vulnerabilities by a specified due date to protect their networks against attacks exploiting the flaws in the catalog. Private organizations are also advised to review the Catalog and address the vulnerabilities in their infrastructure. CISA has set a deadline of March 25, 2024, for federal agencies to fix this vulnerability.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.