Our new CVE tracking app has been working hard these days, finding things our poor human eyes were unable or too tired to see. In this case, it alerted us about a vulnerability that was described in an article about another vulnerability we had long since patched.
CVE-2024-43626, a privilege escalation vulnerability in Windows Telephony Service, was described in an article by Đào Tuấn Linh of Starlabs. The article was primarily about CVE-2024-26230, which we had patched in August 2024, but it also mentioned a related issue CVE-2024-43626, reportedly co-analyzed by Chen Le Qi of Starlabs. While the proof-of-concept was only provided for the "main" vulnerability, we were able to modify it to trigger the secondary one.
The Vulnerability
The vulnerability is in the way Windows Telephony Service reads some registry value to the memory, whereby such value could be loaded without the trailing zero terminator. Should this happen, a subsequent _wcsupr operation would upper-case a string beyond the end of the buffer - potentially corrupting the memory there in such a way as to lead to arbitrary code execution.
Microsoft's Patch
Microsoft's patch modified the vulnerable code so that it correctly reads the registry value and makes sure it is zero-terminated.
Our Patch
Our patch is logically identical to Microsoft's.
Let's see our patch in action. First, a low-privileged user launches the POC while 0patch is disabled, which results in crashing the Telephony Service. With 0patch enabled, the POC fails to crash the service.
Micropatch Availability
Micropatches were written for the following security-adopted Windows versions:
- Windows 11 v21H2 - fully updated
- Windows 10 v21H2 - fully updated
- Windows 10 v21H1 - fully updated
- Windows 10 v20H2 - fully updated
- Windows 10 v2004 - fully updated
- Windows 10 v1909 - fully updated
- Windows 10 v1809 - fully updated
- Windows 10 v1803 - fully updated
- Windows 7 - fully updated with no ESU, ESU 1, ESU 2 or ESU 3
- Windows Server 2008 R2 - fully updated with no ESU, ESU 1, ESU 2, ESU 3 or ESU 4
- Windows Server 2012 - fully updated with no ESU or ESU 1
- Windows Server 2012 R2 - fully updated with no ESU or ESU 1
Micropatches have already been distributed to, and applied on, all affected online computers with 0patch Agent in PRO or Enterprise accounts (unless Enterprise group settings prevented that).
Vulnerabilities like these get discovered on a regular basis, and attackers know about them all. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things.
We'd like to thank Đào Tuấn Linh and Chen Le Qi of Starlabs for discovering this vulnerability and publishing their analysis, which allowed us to create a patch and protect 0patch users against this issue.
If you're new to 0patch, create a free account in 0patch Central, start a free trial, then install and register 0patch Agent. Everything else will happen automatically. No computer reboot will be needed.
Did
you know 0patch security-adopted Windows 10 and Office 2016 and 2019 when they went out of
support this month, allowing you to keep using them for at least 3 more years (5 years for Windows 10)? Read more about it here and here.
To learn more about 0patch, please visit our Help Center.
No comments:
Post a Comment