October 2024 Windows Updates brought a patch for CVE-2024-43532,
a vulnerability in Windows Remote Registry Service that could
allow an attacker with access to network communication between administrator’s computer and computer under remote administration to hijack the network connection and gain administrative remote registry access to the destination computer. With remote administrative access to registry on a computer, the attacker could have their malicious executable launched there.

Security researcher Stiv Kupchik of Akamai found this vulnerability and reported it to Microsoft. Subsequently, Stiv published a detailed article and provided a proof-of-concept tool.

 

The Vulnerability

The root cause of this vulnerability is the use of an insecure authentication level in a RpcBindingSetAuthInfo call (advapi32.dll) from function BaseBindToMachine, which provides user-supplied parameters that control the behavior of an RPC binding to the remote machine. 

The default behavior of the BaseBindToMachine call is to first try to bind to the RPC endpoint using named pipes and RPC_C_AUTHN_LEVEL_PKT_PRIVACY, but when that doesn’t work, fall back to the vulnerable tcp_ip protocol with RPC_C_AUTHN_LEVEL_CONNECT – which provides no security. Because of the vulnerable RPC_C_AUTHN_LEVEL_CONNECT parameter, the tcp_ip biding can then be relayed to a different endpoint of attacker’s choosing, while authenticating with victim’s credentials.

Stiv Kupchik found one occurrence of the vulnerable RegConnectRegistryExW call in the registry editor application, but various other applications are likely to use remote registry connections in the same way.

 

Microsoft’s Patch

Microsoft patched this issue by changing the default behavior of remote registry connections initiated through function BaseBindToMachine, but it also introduced new registry values that control the protocol fallback policy and security policy

Our Micropatch

Our patch is logically equivalent to enforcing the “patched” behavior of function BaseBindToMachine (i.e., when TransportFallbackPolicy is absent or set to 1 – DEFAULT), disabling the fallback functionality and only allowing remote registry connections over named pipes with RPC_C_AUTHN_LEVEL_PKT_PRIVACY.

Our patch has a single CPU instruction, whereby the pointer to the fallback protocol name is set to 0. Microsoft’s original code in advapi32.dll then does the rest.


;XX-2562
MODULE_PATH “..AffectedModulesadvapi32.dll_10.0.19041.1052_Win10-2004_64-bit_u2021-12advapi32.dll”
PATCH_ID 2029
PATCH_FORMAT_VER 2
VULN_ID 7839
PLATFORM win64
       
patchlet_start
    PATCHLET_ID 1
    PATCHLET_TYPE 2
    PATCHLET_OFFSET 0x42d9c
    N_ORIGINALBYTES 5
    JUMPOVERBYTES 0
            
    code_start

        mov r15, 0x0    ;move 0 to r15 to replace the fallback protocol name pointer.

    code_end
patchlet_end

Micropatch Availability

Micropatches were written for the following security-adopted versions of Windows with all available Windows Updates installed:

  1. Windows 11 v21H2 – fully updated
  2. Windows 10 v21H2 – fully updated
  3. Windows 10 v21H1 – fully updated
  4. Windows 10 v20H2 – fully updated
  5. Windows 10 v2004 – fully updated
  6. Windows 10 v1909 – fully updated
  7. Windows 10 v1809 – fully updated
  8. Windows 10 v1803 – fully updated
  9. Windows 7 – fully updated with no ESU, ESU 1, ESU 2 or ESU 3
  10. Windows Server 2012 (standard and R2) – fully udpated with no ESU
  11. Windows Server 2008 R2 – fully updated with no ESU, ESU 1, ESU 2, ESU 3 or ESU 4
 

Micropatches have already been distributed to, and applied on, all
affected online computers with 0patch Agent in PRO or Enterprise accounts (unless Enterprise group settings prevented that). 

Vulnerabilities like these get discovered on a regular basis, and
attackers know about them all. If you’re using Windows that aren’t
receiving official security updates anymore, 0patch will make sure these
vulnerabilities won’t be exploited on your computers – and you won’t
even have to know or care about these things.

If you’re new to 0patch, create a free account
in 0patch Central,
start a free trial, then install and register 0patch Agent. Everything
else will happen automatically. No computer reboot will be needed.

We would like to thank Stiv Kupchik of Akamai for sharing their analysis and proof-of-concept, which made it possible for us to create a
micropatch for this issue.

To learn more about 0patch, please visit our Help Center.

Article Link: 0patch Blog: Micropatches Released for Remote Registry Service Elevation of Privilege Vulnerability (CVE-2024-43532)

1 post – 1 participant

Read full topic

​ October 2024 Windows Updates brought a patch for CVE-2024-43532,
a vulnerability in Windows Remote Registry Service that could
allow an attacker with access to network communication between administrator’s computer and computer under remote administration to hijack the network connection and gain administrative remote registry access to the destination computer. With remote administrative access to registry on a computer, the attacker could have their malicious executable launched there.Security researcher Stiv Kupchik of Akamai found this vulnerability and reported it to Microsoft. Subsequently, Stiv published a detailed article and provided a proof-of-concept tool. The VulnerabilityThe root cause of this vulnerability is the use of an insecure authentication level in a RpcBindingSetAuthInfo call (advapi32.dll) from function BaseBindToMachine, which provides user-supplied parameters that control the behavior of an RPC binding to the remote machine. The default behavior of the BaseBindToMachine call is to first try to bind to the RPC endpoint using named pipes and RPC_C_AUTHN_LEVEL_PKT_PRIVACY, but when that doesn’t work, fall back to the vulnerable tcp_ip protocol with RPC_C_AUTHN_LEVEL_CONNECT – which provides no security. Because of the vulnerable RPC_C_AUTHN_LEVEL_CONNECT parameter, the tcp_ip biding can then be relayed to a different endpoint of attacker’s choosing, while authenticating with victim’s credentials.Stiv Kupchik found one occurrence of the vulnerable RegConnectRegistryExW call in the registry editor application, but various other applications are likely to use remote registry connections in the same way. Microsoft’s Patch Microsoft patched this issue by changing the default behavior of remote registry connections initiated through function BaseBindToMachine, but it also introduced new registry values that control the protocol fallback policy and security policy.  Our Micropatch Our patch is logically equivalent to enforcing the “patched” behavior of function BaseBindToMachine (i.e., when TransportFallbackPolicy is absent or set to 1 – DEFAULT), disabling the fallback functionality and only allowing remote registry connections over named pipes with RPC_C_AUTHN_LEVEL_PKT_PRIVACY. Our patch has a single CPU instruction, whereby the pointer to the fallback protocol name is set to 0. Microsoft’s original code in advapi32.dll then does the rest.

;XX-2562MODULE_PATH “..AffectedModulesadvapi32.dll_10.0.19041.1052_Win10-2004_64-bit_u2021-12advapi32.dll”PATCH_ID 2029PATCH_FORMAT_VER 2VULN_ID 7839PLATFORM win64       patchlet_start    PATCHLET_ID 1    PATCHLET_TYPE 2    PATCHLET_OFFSET 0x42d9c    N_ORIGINALBYTES 5    JUMPOVERBYTES 0                code_start         mov r15, 0x0    ;move 0 to r15 to replace the fallback protocol name pointer.    code_endpatchlet_end
Micropatch AvailabilityMicropatches were written for the following security-adopted versions of Windows with all available Windows Updates installed: Windows 11 v21H2 – fully updatedWindows 10 v21H2 – fully updatedWindows 10 v21H1 – fully updatedWindows 10 v20H2 – fully updatedWindows 10 v2004 – fully updatedWindows 10 v1909 – fully updatedWindows 10 v1809 – fully updatedWindows 10 v1803 – fully updatedWindows 7 – fully updated with no ESU, ESU 1, ESU 2 or ESU 3Windows Server 2012 (standard and R2) – fully udpated with no ESUWindows Server 2008 R2 – fully updated with no ESU, ESU 1, ESU 2, ESU 3 or ESU 4 Micropatches have already been distributed to, and applied on, all
affected online computers with 0patch Agent in PRO or Enterprise accounts (unless Enterprise group settings prevented that). Vulnerabilities like these get discovered on a regular basis, and
attackers know about them all. If you’re using Windows that aren’t
receiving official security updates anymore, 0patch will make sure these
vulnerabilities won’t be exploited on your computers – and you won’t
even have to know or care about these things. If you’re new to 0patch, create a free account
in 0patch Central,
start a free trial, then install and register 0patch Agent. Everything
else will happen automatically. No computer reboot will be needed.We would like to thank Stiv Kupchik of Akamai for sharing their analysis and proof-of-concept, which made it possible for us to create a
micropatch for this issue.

To learn more about 0patch, please visit our Help Center.
Article Link: 0patch Blog: Micropatches Released for Remote Registry Service Elevation of Privilege Vulnerability (CVE-2024-43532)
1 post – 1 participant
Read full topic