CVE-2024-21302: 
vulnerability analysis and mitigation

CVE-2024-21302 is an elevation of privilege vulnerability that exists in Windows-based systems supporting Virtualization Based Security (VBS), including a subset of Azure Virtual Machine SKUs. The vulnerability was discovered and reported to Microsoft, affecting Windows 10, Windows 11, Windows Server 2016, and higher based systems. The issue enables an attacker with administrator privileges to replace current versions of Windows system files with outdated versions (NVD, Microsoft Support).

The vulnerability has been assigned a CVSS v3.1 Base Score of 6.7 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. The vulnerability specifically targets systems with Virtualization Based Security (VBS) enabled. The VBS state can be verified through Microsoft System Information tool (Msinfo32.exe) or using Windows PowerShell with the Win32_DeviceGuard WMI class (Microsoft Support).

Successful exploitation of this vulnerability allows attackers to reintroduce previously mitigated vulnerabilities, circumvent VBS security features, and exfiltrate data protected by VBS. The impact is particularly severe as it could potentially nullify previous security patches and expose systems to previously fixed vulnerabilities (NVD, Security Online).

Microsoft has released security updates that include an opt-in revocation policy mitigation to address this vulnerability. Customers running affected versions of Windows are advised to review KB5042562 for guidance on blocking rollback of virtualization-based security related updates. The mitigation involves deploying a Microsoft-signed revocation policy (SkuSiPolicy.p7b) which blocks vulnerable versions of VBS system files from being loaded by the operating system (Microsoft Support).