What is this vulnerability and why does it matter?

This vulnerability, CVE-2024-43491, is a flaw in the Servicing Stack of Windows 10 version 1507 (initial version released July 2015) that caused a rollback of fixes for some vulnerabilities affecting Optional Components. This means that previously mitigated vulnerabilities could be exploited again on affected systems. It matters because attackers could leverage these re-exposed vulnerabilities to compromise systems that were believed to be protected, potentially leading to data breaches, system compromise, or denial of service.

What are the CVSS score, severity level, and disclosure details?

The CVSS score for CVE-2024-43491 is 9.8, indicating a Critical severity level. The vulnerability was published on 2024-09-10 16:54:20 and last modified on 2024-12-31 23:03:24. Active exploits have been published for this vulnerability.

Which products, vendors, systems, and versions are affected?

This vulnerability affects Microsoft Windows 10, version 1507 (initial version released July 2015), specifically Windows 10 Enterprise 2015 LTSB and Windows 10 IoT Enterprise 2015 LTSB editions that have installed the Windows security update released on March 12, 2024—KB5035858 (OS Build 10240.20526) or other updates released until August 2024. All later versions of Windows 10 are not impacted by this vulnerability.

What is the technical root cause and attack vector?

The technical root cause is a flaw in the Servicing Stack that leads to the rollback of previous security fixes. The attack vector involves exploiting previously patched vulnerabilities that were inadvertently re-enabled due to the servicing stack issue. CWE-416, Use After Free, is associated with this vulnerability.

How can this vulnerability be exploited?

This vulnerability can be exploited by targeting the previously patched vulnerabilities that were reintroduced by the faulty servicing stack update. An attacker can leverage existing exploit code or develop new exploits to take advantage of these re-exposed flaws. Successful exploitation could lead to arbitrary code execution, privilege escalation, or other malicious activities, depending on the nature of the underlying vulnerabilities being exploited.

What mitigation steps and patches are available?

The vulnerability is addressed by installing the September 2024 Servicing stack update (SSU KB5043936) AND the September 2024 Windows security update (KB5043083), in that order. Apply these updates to affected Windows 10 version 1507 systems (Windows 10 Enterprise 2015 LTSB and Windows 10 IoT Enterprise 2015 LTSB). Note that Windows 10, version 1507 reached end of support on May 9, 2017 for most editions; upgrading to a supported version of Windows is strongly recommended.

How can vulnerable systems be detected?

Vulnerable systems can be detected by checking the installed Windows update history. Specifically, check if KB5035858 (or other updates released until August 2024) is installed on Windows 10 Enterprise 2015 LTSB or Windows 10 IoT Enterprise 2015 LTSB, without the presence of the September 2024 Servicing stack update (SSU KB5043936) and the September 2024 Windows security update (KB5043083). Additionally, vulnerability scanners can be configured to identify systems missing the required patches.

What are the indicators of compromise (IOCs)?

Due to the nature of this vulnerability being a rollback of previous patches, the specific IOCs would depend on the vulnerabilities that are being re-exploited. General IOCs could include:

• Unexpected system behavior or crashes.
• Unusual network activity originating from affected systems.
• Detection of exploit attempts targeting known vulnerabilities that should have been patched.
• Presence of malicious files or processes related to known exploits for the re-exposed vulnerabilities.

Monitoring for these indicators in conjunction with known IOCs for the underlying vulnerabilities can help detect potential exploitation attempts.

Which threat actors are known to exploit this vulnerability?

Information regarding specific threat actors exploiting this particular servicing stack vulnerability (CVE-2024-43491) is not available. It's likely that various threat actors, including those interested in exploiting known Windows vulnerabilities, may target this flaw. It is important to monitor threat intelligence sources and security advisories for updated information on exploitation activity.

What public intelligence references and advisories exist?

Public intelligence references and advisories include:

• CVE-2024-43491 entry on the MITRE website and the National Vulnerability Database (NVD).
• Microsoft Security Advisory for the September 2024 updates (KB5043936 and KB5043083).
• Security blogs and articles discussing the vulnerability and its potential impact.

It is important to refer to these resources for detailed information and updates regarding this vulnerability.

What is the risk assessment and urgency level?

The risk assessment for CVE-2024-43491 is considered Critical due to the high CVSS score (9.8) and the existence of active exploits. The urgency level for patching is also Critical, as affected systems are vulnerable to exploitation of previously mitigated flaws. Organizations using Windows 10 Enterprise 2015 LTSB or Windows 10 IoT Enterprise 2015 LTSB should immediately apply the specified updates (KB5043936 and KB5043083) to mitigate the risk. If upgrading is an option it is highly advised as Windows 10, version 1507 has reached end of service.