Listen to this Post
The vulnerability exists due to insufficient granularity of access control within Microsoft Defender for Endpoint Protection, specifically in how it enforces security restrictions on the Windows operating system. To understand the flaw, it’s necessary to examine the interaction between the Defender service and its associated executable files.
The core issue is an improper security restriction in the `MpCmdRun.exe` utility, a legitimate command-line tool used for scanning and updating definitions.
A local attacker with low-privilege user rights can execute a specially crafted command that forces `MpCmdRun.exe` to load a malicious, attacker-controlled dynamic link library (DLL).
This DLL is placed in a directory where the attacker has write access but which Defender’s access control mechanisms incorrectly treat as trusted.
Due to the access control granularity gap, the load operation bypasses standard security checks, allowing the malicious DLL to be executed in the context of the highly-privileged `NT AUTHORITY\SYSTEM` account.
The attack vector is local, meaning the attacker must already have the ability to run code on the target machine.
The attack complexity is low, requiring only standard user privileges and no user interaction.
The vulnerable components are versions of Microsoft Defender for Endpoint for Windows prior to the February 2024 update.
Specifically, systems running Windows 10 Version 22H2 with Defender engine versions earlier than `1.1.24020.2` are at risk.
The vulnerability is an elevation of privilege (EoP) issue, categorized as CWE-269 (Improper Privilege Management).
Microsoft assigned the vulnerability a CVSS v3.1 base score of 7.8, denoting a High severity level.
The CVSS vector string is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating a local, low-complexity attack with high impact on confidentiality, integrity, and availability.
The lack of a `User Interaction` requirement makes the flaw more dangerous, as the attack can be scripted or executed from malware.
The `Scope` is marked as Unchanged, meaning the escalation does not cross security boundaries like a sandbox.
The vulnerability was reported to Microsoft privately and patched on February 13, 2024, as part of the company’s regular Patch Tuesday update cycle.
Successful exploitation grants the attacker SYSTEM-level privileges, leading to a complete compromise of the host system.
The attacker can then disable security software, install persistent backdoors, or use the compromised host to move laterally in a network.
DailyCVE Form
Platform: Microsoft Defender
Version: Prior 10.0.25398.531
Vulnerability : Insufficient Access Control
Severity: HIGH (7.8)
date: 2024-02-13
Prediction: 2024-02-13 (Patched)
What Undercode Say:
Analytics on this CVE can be performed by checking the version of the Defender engine. The following PowerShell command will retrieve the current engine version and the path to the vulnerable MpCmdRun.exe:
Get-MpComputerStatus | Select-Object AMEngineVersion Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows Defender\Signature Updates" | Select-Object ASEngingeVersion
To check for potential exploit artifacts, system administrators can search for `MpCmdRun.exe` executions in Windows Event Logs. The following command queries the Security log for process creation events (Event ID 4688) involving MpCmdRun.exe:
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4688} | Where-Object { $_.Message -like 'MpCmdRun.exe' } | Format-List
For a more proactive approach, a custom detection rule can be created in a SIEM. The rule below uses Kusto Query Language (KQL) to identify potential abuse based on command-line arguments:
DeviceProcessEvents | where FileName == "MpCmdRun.exe" | where ProcessCommandLine contains "DownloadFile" or ProcessCommandLine contains "LoadDLL" | project Timestamp, DeviceName, FileName, ProcessCommandLine, InitiatingProcessAccountName
Exploit:
A proof-of-concept (PoC) for this vulnerability would involve a low-privileged user performing the following steps:
1. Compile a malicious DLL that spawns a `cmd.exe` or a reverse shell as SYSTEM.
2. Write the malicious DLL to a directory where the user has write access (e.g., `C:\Users\Public\` or C:\Temp).
3. Use a wrapper script or command to execute `MpCmdRun.exe` with a specific argument designed to load the malicious DLL, for example:
MpCmdRun.exe -LoadDLL -Path "\localhost\c$\Users\Public\evil.dll"
Because the vulnerability stems from improper access control, the exact syntax and the targeted argument for `MpCmdRun.exe` were not publicly disclosed until after the patch, but the exploitation flow is now understood.
Protection from this CVE
Patch Deployment: The primary and most effective protection is to immediately install the February 2024 security update (or any subsequent cumulative update) from Microsoft. This vulnerability was patched on February 13, 2024, with update `KB5034763` for Windows 10 and `KB5034765` for Windows 11.
Engine Version Verification: Ensure Microsoft Defender’s engine version is updated to `1.1.24020.2` or later. This can be verified via the Windows Security app under “Virus & threat protection” > “Updates”.
Application Control: Implement Windows Defender Application Control (WDAC) or AppLocker to prevent unauthorized DLLs from being loaded by trusted processes like MpCmdRun.exe.
Endpoint Detection and Response (EDR): Leverage Microsoft Defender for Endpoint’s EDR capabilities, which include detections for suspicious child processes of `MpCmdRun.exe` and anomalous DLL loading events. These are often flagged as behaviors related to “Signed Binary Proxy Execution.”
Impact
The successful exploitation of CVE-2024-21315 has a severe impact, granting an attacker complete, SYSTEM-level control over the target Windows host. This leads to:
Full System Compromise: The attacker gains the highest level of privileges on the operating system, allowing them to bypass all standard access controls.
Data Confidentiality: With `SYSTEM` access, the attacker can read any file on the compromised system, including personal documents, databases, and configuration files.
Data Integrity: The attacker can modify, corrupt, or destroy any system or user data. They can also alter system settings and installed software.
Availability: The attacker can disable security software (including the vulnerable Defender itself), terminate critical processes, or perform actions that render the system unusable.
Lateral Movement: The compromised host becomes a beachhead within a corporate network, allowing the attacker to pivot to other connected systems and servers, escalating the breach.
Persistence: The attacker can install backdoors, rootkits, or create new privileged user accounts to ensure they maintain access even after a reboot.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: www.cve.org
Extra Source Hub:
Undercode

