On June 11th, Microsoft released hotfixes for CVE-2024-30078 labeled as "Windows Wi-Fi Driver Remote Code Execution Vulnerability". This should ring all alarm bells because it means that attackers could remotely compromise a Windows computer via WiFi.
And indeed, even the description given by the Microsoft FAQ is pretty scary:
Exploiting this vulnerability requires an attacker to be within proximity of the target system to send and receive radio transmissions.
An unauthenticated attacker could send a malicious networking packet to an adjacent system that is employing a Wi-Fi networking adapter, which could enable remote code execution.
This was found by KUNLUN LABS, a Beijing based offensive security company. No exploit details have been given so far.
What does it mean for your company?
Strengthening your organization’s resilience is not just a regulatory obligation but a strategic imperative. With the upcoming EU Digital Operational Resilience Act (DORA), set to reshape cybersecurity compliance across the European financial sector by 2025, companies must be proactive to detect current and relevant threats, one of which we present in our latest feature, an agile atomic check that allows you to quickly verify if critical security patches are installed, providing a crucial layer of defense aligned with the DORA requirements for continuous risk identification and testing for real world threats mentioned in:
Article 8: Identification
Article 9: Protection and Prevention
Article 10: Detection
Article 25: Testing of ICT Tools and Systems.
At Persistent Security Industries , we've developed the Nemesis Breach and Attack Simulation (BAS) platform, designed to not only meet but exceed these regulatory demands in a cost effective way. More information on the exact legislative text can be found here.
Our product Nemesis BAS already contains a large library of scenarios and atomics that can be used to validate your security controls and document the results. For upcoming and new threats we also support custom atomics that can be created easily by technical operators or on customer request. The following is a description how to tackle a remote code execution vulnerability that can be exploited against all unpatched Microsoft Windows system that are in WiFi range.
How do you ensure patches have been installed correctly?
Microsoft Windows patches are by default installed automatically via the Windows Update Service (WSUS). A bit opaque for the average user. In a corporate environment, updates might not come directly from Microsoft and might also not be installed correctly and in a timely manner. So, how can you check that none of your users boot up their laptop after their deserved holidays, ignore the notifications telling them to reboot, and stay vulnerable for days until they eventually reboot instead of putting their system on standby?
Step 1: Check manually
Given basic Microsoft Windows system administration skills we can check if the required updates have been installed and the issue is patched.
We first check if one of the following Hotfixes listed in the Microsoft Security Update Guide is present on the system:
5039211
5039212
5039213
5039214
5039217
5039225
5039227
5039236
5039245
5039260
5039266
5039274
5039289
5039294
The WMI client wmic that comes with Windows by default is useful for this task. Just open a command line or Powershell as administrator and execute:
wmic qfe get HotfixID, InstalledOn
This will list all installed hotfixes as seen in the next screenshot:
We see that hotfix KB5039212 is installed on the system, which confirms that the vulnerability was fixed.
Step 2: Automate the Checks
If you need to assess a lot of endpoints or generally want to check for upcoming vulnerabilities, the manual tasks need to be converted into automation. The following Powershell script checks for all fixes mentioned in the original Microsoft data:
# Nemesis Custom Atomic: simulating an attacker who tries to idenitfy CVE-2024-30078
$kbList = @("KB5039211", "KB5039212", "KB5039213", "KB5039214", "KB5039217", "KB5039225", "KB5039227", "KB5039236", "KB5039245", "KB5039260", "KB5039266", "KB5039274", "KB5039289", "KB5039294") # patches to check presence for according to https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-30078
$found = $false # fail closed
$hotfixes = wmic qfe get HotfixID
$matches = ""
foreach ($kb in $kbList) { # query each of the hotfixes
$patch = $hotfixes | Select-String -CaseSensitive -Pattern $kb -SimpleMatch -Quiet
if ($patch) {
$found = $true
$matches = $matches + ", $kb" # add to the list of hotfixes that are applied
break
}
}
if ($found) {
Write-Host "VULNERABLE System Found, insufficient hotfixes applied:"
Write-Host $hotfixes
exit 0 # the system was found to be vulnerable
} else {
Write-Host "No vulnerable systems found, hotfixes applied: $matches"
exit 1 # the system was found not vulnerable
}
The above script will check if any of the Hotfixes that fix the vulnerability are installed. So if a system doesn't have them, it will likely be vulnerable.
Step 3: Validate With Nemesis BAS
By integrating Nemesis BAS into your security framework, you gain a tool that not only ensures compliance with DORA but also increases your overall cybersecurity resilience. Our check for hotfixes for CVE-2024-30078 is just one of the available scenarios in the Nemesis BAS library, including atomics that can perform the actual attacks and detect if they really work in your environment!
As part of the efforts to prevent upcoming and current threats, it is crucial to validate that these threats are successfully mitigated. In case of the WiFi attack, a technical operator can implement a quick atomic check that investigates if a machine did not receive the patch yet. In our case, we have Nemesis BAS agents deployed on the machines and we use the custom atomic wizard of the Nemesis BAS Dashboard to execute the Powershell script shown above regularly and report back the results. The atomic can be created in the following steps via the wizard:
1. Enter the Atomic info as seen below, such as the name, a description, technique from MITRE ATT&CK, and other relevant information that will end up in the automatically generated report later:
2. Since this atomic does not need input arguments or special dependencies, we can go directly to the executor step where we will put the Powershell script from above to check for installed Hotfixes. Here you can also configure the execution details such as what kind of executor (Powershell, cmd, etc.) should be used and if it should be executed with elevated permissions:
Nemesis BAS will use this script to execute a technique and expects the script to exit with a code of 0 when the technique worked and is not prevented. In this case it will exit with zero when none of the Hotfixes that address the vulnerability were installed on the system and it is therefore deemed to be vulnerable.
3. At the last step you are provided with a TOML file that defines the atomic including descriptions and execution parameters. You can save it for later to the wizard values and save a lot of time if you want to create more similar atomics:
5. Now it's time to execute the atomic after we have created a scenario and include it in an assessment that can schedule multiple scenarios to be run on different agents. In this case we run the scenario only on a test agent:
6. After hitting run, the data necessary to execute the atomic are delivered securely to the agent, run and results are reported back:
7. The above result indicates that the system appears to be vulnerable, upon which we can investigate further details:
Apparently the list of applied Hotfixes doesn't include any that cover CVE-2024-30078. In the spirit of Breach and Attack Simulation, you can use more complex scenarios of Nemesis BAS to perform the actual attacks and combine different techniques.
Want to know more?
As your organization prepares for DORA, ask yourself: Do your security controls hold up when it matters most? Navigating the complexities of ICT risk management is challenging, with evolving threats, complex IT environments, and limited resources. Nemesis BAS helps you cut through this uncertainty, offering precise, automated, and continuous validation of your security posture.
Curious about checking for other techniques such as the Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability (CVE-2024-30080), the Linux agent or atomics that perform remote testing against Active Directory or cloud environments?
Request your demo here.
댓글