CVE-2024-21338: 
vulnerability analysis and mitigation

Windows Kernel Elevation of Privilege Vulnerability (CVE-2024-21338) was discovered in the AppLocker driver (appid.sys) and patched by Microsoft in February 2024 Patch Tuesday update. The vulnerability affects multiple Windows versions from Windows 10 Version 1809 through Windows 11 23H2, allowing local service accounts to gain kernel-level access (ASEC Blog, Avast Labs).

The vulnerability exists in the IOCTL dispatcher in appid.sys with control code 0x22A018, which is designed to compute smart hash of executable image files. The vulnerability allows an attacker to trick the kernel into calling an arbitrary pointer with control over the first argument. It has a CVSS 3.1 Base Score of 7.8 (HIGH) with vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability was introduced in Windows 10 1703 and extends to recent builds including Windows 11 23H2 (NVD, Avast Labs).

When exploited, the vulnerability allows attackers to gain kernel-level access, which can be used to disrupt security software, conceal infection indicators, disable kernel-mode telemetry, turn off mitigations, and tamper with protected processes. The vulnerability has been actively exploited by the Lazarus threat group to disable security products and gain system privileges (Avast Labs).

Microsoft addressed the vulnerability in the February 2024 Patch Tuesday update by adding an ExGetPreviousMode check to the IOCTL handler, preventing user-mode initiated IOCTLs from triggering arbitrary callbacks. Users are advised to apply the latest security patches for their Windows systems (ASEC Blog, Avast Labs).