top of page

Critical Analysis of CVE-2023-24880: Microsoft Windows SmartScreen Vulnerability and Active Exploitation

CVE Image for report on CVE-2023-24880

Executive Summary

CVE-2023-24880 is a critical vulnerability identified in Microsoft Windows SmartScreen, a feature designed to protect users from malicious software and websites. This vulnerability allows attackers to bypass the SmartScreen security feature, potentially leading to unauthorized actions on the affected systems. The vulnerability has a CVSS v3.1 Base Score of 4.4, indicating a medium severity level. It has been actively exploited in the wild, making it imperative for organizations to understand its implications and take immediate action to mitigate the risks.

Technical Information

CVE-2023-24880 is a security vulnerability that affects various versions of Microsoft Windows 10 and Windows Server editions. The vulnerability is classified under CWE-863 (Incorrect Authorization) and was added to the CVE database on March 14, 2023. The vulnerability allows attackers to bypass the Windows SmartScreen security feature, which is designed to protect users from malicious software and websites. The CVSS v3.1 vector for this vulnerability is CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L, indicating that the attack vector is local, the attack complexity is low, no privileges are required, and user interaction is required.

The vulnerability primarily affects the following versions of Microsoft Windows:

Windows 11

21H2: 10.0.22000.2713, 10.0.22000.2652, 10.0.22000.2600, 10.0.22000.2482, 10.0.22000.2245, 10.0.22000.2360 22H2: 10.0.22621.3007, 10.0.22621.2861, 10.0.22621.2715, 10.0.22621.2283, 10.0.22621.2215, 10.0.22621.1928

Windows 10

22H2: 10.0.19045.3930, 10.0.19045.3803, 10.0.19045.3693, 10.0.19045.3570 21H2: 10.0.19044.4046, 10.0.19044.2788, 10.0.19044.3803, 10.0.19044.3693 20H2: 10.0.19042.2788, 10.0.19042.2673, 10.0.19042.2546, 10.0.19042.2364 1809: 10.0.17763.5329, 10.0.17763.5206, 10.0.17763.5122, 10.0.17763.4974, 10.0.17763.4851 1607: 10.0.14393.6614, 10.0.14393.6529, 10.0.14393.6452, 10.0.14393.6351, 10.0.14393.6252

Windows Server

2022: 10.0.25398.643, 10.0.20348.2227, 10.0.20348.407, 10.0.20348.473, 10.0.20348.502 2019: 10.0.17763.5329, 10.0.17763.4010 2016: 10.0.14393.6614, 10.0.14393.5717

The vulnerability allows attackers to bypass the Mark of the Web (MOTW) protections, which are intended to warn users when they download files from the internet. By bypassing SmartScreen, attackers can execute malicious files without triggering security warnings.

Exploitation in the Wild

This vulnerability has been actively exploited in the wild. Attackers leverage this flaw to bypass the Mark of the Web (MOTW) protections, which are intended to warn users when they download files from the internet. By bypassing SmartScreen, attackers can execute malicious files without triggering security warnings. This has been observed in various attack campaigns where malicious files are delivered via phishing emails or compromised websites.

References to Exploitation

CISA's Known Exploited Vulnerabilities Catalog: This CVE is listed in CISA's catalog, indicating its active exploitation. (https://www.cisa.gov/known-exploited-vulnerabilities-catalog) Microsoft Security Response Center: Microsoft has acknowledged the vulnerability and provided patches to mitigate the risk. (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24880)

APT Groups using this vulnerability

While specific APT groups exploiting this vulnerability have not been publicly identified, the nature of the vulnerability makes it a valuable tool for groups focused on defense evasion and initial access. The sectors and countries targeted by these APT groups are diverse, including critical infrastructure, financial institutions, and government agencies across North America, Europe, and Asia.

Affected Product Versions

The following product versions are affected by CVE-2023-24880:

Windows 11

21H2: 10.0.22000.2713, 10.0.22000.2652, 10.0.22000.2600, 10.0.22000.2482, 10.0.22000.2245, 10.0.22000.2360 22H2: 10.0.22621.3007, 10.0.22621.2861, 10.0.22621.2715, 10.0.22621.2283, 10.0.22621.2215, 10.0.22621.1928

Windows 10

22H2: 10.0.19045.3930, 10.0.19045.3803, 10.0.19045.3693, 10.0.19045.3570 21H2: 10.0.19044.4046, 10.0.19044.2788, 10.0.19044.3803, 10.0.19044.3693 20H2: 10.0.19042.2788, 10.0.19042.2673, 10.0.19042.2546, 10.0.19042.2364 1809: 10.0.17763.5329, 10.0.17763.5206, 10.0.17763.5122, 10.0.17763.4974, 10.0.17763.4851 1607: 10.0.14393.6614, 10.0.14393.6529, 10.0.14393.6452, 10.0.14393.6351, 10.0.14393.6252

Windows Server

2022: 10.0.25398.643, 10.0.20348.2227, 10.0.20348.407, 10.0.20348.473, 10.0.20348.502 2019: 10.0.17763.5329, 10.0.17763.4010 2016: 10.0.14393.6614, 10.0.14393.5717

Workaround and Mitigation

To protect against CVE-2023-24880, it is crucial to apply the security updates provided by Microsoft. The following steps are recommended:

Apply Patches: Ensure that all affected systems are updated with the latest security patches from Microsoft. Monitor for Indicators of Compromise (IOCs): Keep an eye on unusual activities that may indicate exploitation attempts. User Awareness: Educate users about the risks of downloading and executing files from untrusted sources.

References

NVD: CVE-2023-24880 Detail (https://nvd.nist.gov/vuln/detail/cve-2023-24880) Microsoft Security Response Center: CVE-2023-24880 (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24880) CISA: Known Exploited Vulnerabilities Catalog (https://www.cisa.gov/known-exploited-vulnerabilities-catalog) Vicarius: Windows SmartScreen Security Feature Bypass (CVE-2023-24880) (https://www.vicarius.io/vsociety/posts/windows-smartscreen-security-feature-bypass-cve-2023-24880) Rapid7: CVE-2023-24880 (https://www.rapid7.com/db/vulnerabilities/msft-cve-2023-24880/)

Rescana is here for you

At Rescana, we understand the complexities and challenges of managing cybersecurity threats. Our Continuous Threat and Exposure Management (CTEM) platform is designed to help you stay ahead of potential vulnerabilities and ensure your systems are secure. If you have any questions about this report or any other cybersecurity concerns, please do not hesitate to contact us at ops@rescana.com. We are here to assist you in safeguarding your digital assets.

2 views0 comments

Comments


bottom of page