A critical vulnerability, CVE-2024-38193, has been discovered in the Windows driver afd.sys, which impacts the Registered I/O (RIO) extension for Windows sockets. This flaw allows attackers to exploit a race condition between two functions, AfdRioGetAndCacheBuffer() and AfdRioDereferenceBuffer(), within the driver, potentially leading to privilege escalation. The vulnerability enables malicious actors to access freed memory, which can result in attackers gaining control over a system with NT AUTHORITY\SYSTEM privileges. This critical issue was addressed in the August 2024 Patch Tuesday update from Microsoft.
The RIO extension is designed to enhance socket programming by reducing system calls and optimizing buffer operations. However, the race condition that arises when the buffer registration and deregistration processes are manipulated opens the door for exploitation. Attackers can use heap spraying to fill the non-paged pool with fake RIOBuffer structures, creating conditions that trigger the use-after-free vulnerability when two concurrent threads interact with the registered buffers.
To exploit the vulnerability, attackers need to craft fake RIOBuffer structures and create two threads: one continuously uses the registered buffers, while the other attempts to deregister them. This race condition, if successful, results in the use of freed memory, giving attackers the opportunity to overwrite critical kernel memory locations. By doing so, they can escalate their privileges to NT AUTHORITY\SYSTEM, gaining full control of the affected system.
Microsoft has already released a patch to address CVE-2024-38193, and administrators are strongly urged to apply the August 2024 security updates to mitigate the risk. In addition to patching systems, it is important for organizations to ensure that antivirus software is up-to-date and security updates are applied automatically. This vulnerability serves as a reminder of the critical importance of timely patch management and vigilant system monitoring to protect against exploitation.
Reference:
