GET A DEMO

Voyager18 (research)

How to fix the zero-day CVE-2024-30051 in Windows DWM

CVE-2024-30051: A high-severity zero-day in Windows DWM Core Library. Learn about its impact, exploits, and protection steps

Yair Divinsky | May 16, 2024

Microsoft recently addressed CVE-2024-30051, a critical zero-day vulnerability in the Windows Desktop Window Manager (DWM) Core Library.

Here are the current technical details of this vulnerability, its impact, and the necessary actions to mitigate the risks associated with it.

TL;DR

Affected products: 

Windows DWM Core Library 

Product category: 

OS Vulnerability 

Severity: 

N/A

Type: 

Elevation of Privilege due to a heap-based buffer overflow in the DWM (Desktop Window Manager) core library 

Impact: 

Confidentiality (H), Integrity (H), Availability (H) 

PoC: 

Unpublished 

Exploit in the wild 

Yes 

CISA Catalog 

Yes 

Remediation action 

Apply latest Windows security updates 

MITRE advisory 

 Read more

What is CVE-2024-30051?

Uncovered during an investigation into another DWM-related zero-day exploit by researchers at Kaspersky, CVE-2024-30051 is a high-severity elevation of privilege vulnerability affecting the Windows Desktop Window Manager (DWM) Core Library. It is caused by a heap-based buffer overflow within the library, allowing attackers to escalate their privileges to SYSTEM level on vulnerable Windows systems, including Windows 10 and above, as well as Windows Server 2016 and later versions. 

Even though the patch became available yesterday (May 15th), Kaspersky’s monitoring uncovered ongoing exploitation of the vulnerability alongside QakBot and other malware, indicating that multiple threat actors had obtained access to the exploit. 

 

Does CVE-2024-30051 affect me?

CVE-2024-30051 poses a significant risk to users of vulnerable Windows systems. The vulnerability’s impact spans confidentiality, integrity, and availability, with a CVSS:3.1 score of 7.8 (High). However, it requires local access to the system for exploitation, which limits its attack vector. Here are the Product Status specifications: 

 

Product 

Platform 

Version 

Windows 10 Version 1809 

– 32-bit Systems 

– x64-based Systems 

– ARM64-based Systems 

– from 10.0.0 before 10.0.17763.5820 

Windows Server 2019 & 

2019 Server Core installation 

– x64-based Systems 

– from 10.0.0 before 10.0.17763.5820 

Windows Server 2022 

– x64-based Systems 

– from 10.0.0 before 10.0.20348.2461  

– from 10.0.0 before 10.0.20348.2458 

Windows 11 version 21H2 

– x64-based Systems 

– ARM64-based Systems 

from 10.0.0 before 10.0.22000.2960 

Windows 10 Version 21H2 

– 32-bit Systems 

– ARM64-based Systems 

– from 10.0.0 before 10.0.19044.4412 

Windows 11 version 22H2 

– ARM64-based Systems – x64-based Systems  

– from 10.0.0 before 10.0.22621.3593 

Windows 10 Version 22H2 

– x64-based Systems 

– ARM64-based Systems, 32-bit Systems 

– from 10.0.0 before 10.0.19045.4412 

Windows 11 version 22H3 

– ARM64-based Systems 

– from 10.0.0 before 10.0.22631.3593 

Windows 11 Version 23H2 

– x64-based Systems 

– from 10.0.0 before 10.0.22631.3593 

Windows 10 Version 1507 

– 32-bit Systems 

– x64-based Systems 

– from 10.0.0 before 10.0.10240.20651 

Windows 10 Version 1607 

– 32-bit Systems 

– x64-based Systems 

– from 10.0.0 before 10.0.14393.6981 

Windows Server 2016 & 

2016 Server Core installation 

– x64-based Systems 

– from 10.0.0 before 10.0.14393.6981 

 

Has CVE-2024-30051 been actively exploited in the wild?

Yes, CVE-2024-30051 has been actively exploited in attacks, particularly by threat actors delivering QakBot malware payloads (among others). The exploit allows attackers to gain SYSTEM-level privileges, enabling them to execute arbitrary code and carry out malicious activities without user interaction.

 

How to fix CVE-2024-30051

Microsoft has released patches addressing CVE-2024-30051 as part of its recent Patch Tuesday updates. Organizations and users are strongly advised to apply these patches immediately to protect their systems from potential exploitation and mitigate the risks associated with this zero-day vulnerability. 

 

Next steps

Each new vulnerability is a reminder of where we stand and what we need to do better. Check out the following resources to help you maintain cyber hygiene and stay ahead of the threat actors: 

  1. 2023 Vulnerability watch reports 
  2. The MITRE ATT&CK framework: Getting started
  3. The true impact of exploitable vulnerabilities for 2024
  4. Multi-cloud security challenges – a best practice guide
  5. How to properly tackle zero-day threats

Free for risk owners

Set up in minutes to aggregate and prioritize cyber risk across all your assets and attack vectors.

“The only free RBVM tool out there The only free RBVM tool lorem ipsum out there. The only”.

Name Namerson
Head of Cyber Security Strategy

strip-img-2.png