CVE CyberSecurity Database News

CVE-2024-38202 - Windows Backup Elevation of Privilege Vulnerability — What You Need To Know

Poster -

---

Summary

CVE-2024-38202 is a newly discovered vulnerability affecting Microsoft Windows’ built-in Backup tool. If exploited, it can allow attackers with basic user rights to trick an administrator into bypassing security controls — including reactivating vulnerabilities that were already fixed or turning off critical features of Virtualization-based Security (VBS). Fortunately, exploitation does require a privileged user’s interaction, and currently there are no confirmed reports of attacks in the wild. Microsoft is working on a patch but hasn’t released one yet.

Here’s everything you need to know about CVE-2024-38202, including links to official Microsoft guidance, tips for reducing risk, and demonstration of the issue using code snippets.

What Is CVE-2024-38202?

This vulnerability is an elevation of privilege (EoP) bug. A regular, non-admin user can exploit Windows Backup to escalate their privileges under certain circumstances. Specifically, the attacker takes advantage of the way restore operations handle permissions. Here’s how it could play out:

They prepare a malicious backup, or alter existing backup files.

3. They convince (phish, social engineer, or wait for) an admin user to perform a system restore using the malicious files.
4. During the restore process, Windows Backup fails to properly enforce some security boundaries — leading to the possibility of re-enabling previously mitigated bugs, or disabling some security controls (like VBS features).

Key point: It’s not a remote or automatic exploit; it needs some user interaction at admin level.

For Microsoft’s official summary, see the CVE listing:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38202

Exploit Details

At its core, the vulnerability comes from Windows Backup not adequately enforcing access permissions on certain files during the restore process. Though technical specifics have not been released to the public, Microsoft warns that backup files could be crafted or manipulated to reintroduce mitigated vulnerabilities — or change security settings during a restore.

Let’s look at a conceptual Python code snippet that could simulate part of the attack chain (for educational purposes):

import os
import shutil

# Assume 'attacker' user already has access to a backup directory
# Attacker prepares a malicious registry backup:
malicious_registry = r'C:\Users\attacker\malicious_hive.reg'

with open(malicious_registry, 'w') as f:
    f.write('Windows Registry Editor Version 5.00\n')
    f.write('[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon]\n')
    f.write('"AutoAdminLogon"="1"\n')
    f.write('"DefaultUserName"="attacker"\n')
    f.write('"DefaultPassword"="hacked_password"\n')

# Attacker replaces actual backup file with malicious one (requires access/permission)
backup_folder = r'C:\Backup\SystemState\registry.bak'
shutil.copyfile(malicious_registry, backup_folder)

print("[!] Malicious backup prepared. Now waiting for admin user to perform a restore.")

*This code is illustrative — it would require the attacker to manipulate files they normally shouldn’t be able to, and only works if an admin performs a restore from these files. The essence: attackers plant files, then need to trick admins into restoring them.*

References and Further Reading

- Microsoft’s Official CVE-2024-38202 Notice & Guidance
- Audit Object Access: File Access Auditing
- Basic audit policy on files or folders
- Audit Sensitive Privilege Use
- Backup/Restore Privilege Auditing
- Access Control & DACL Overview

And the Microsoft Security Update Guide for notifications:
https://msrc.microsoft.com/update-guide/

Turn on “Audit Object Access” to see when backup files are read, modified, or deleted.

- Audit Object Access Guide

Make sure only trusted admins can perform backup and restore operations.

- Audit: Backup and Restore Privileges
3. Tighten Access Control Lists (ACLs/DACLs)
- Restrict backup file access to admins — others shouldn't be able to write or replace backup images.
- Access Control

Audit Sensitive Privilege Use

- Enable auditing for sensitive privileges (like SeBackupPrivilege and SeRestorePrivilege) to detect suspicious activity.
- Audit Sensitive Privilege Use

What Happens Next?

Microsoft is preparing an official fix for CVE-2024-38202, but hasn’t released it at this time (as of June 2024). Customers and administrators should monitor the Microsoft Security Update Guide and consider subscribing for notifications.

A public presentation about this flaw was given at BlackHat (August 7, 2024), so public awareness (and likely interest among attackers) will increase in the coming months. Stay alert!

Final Thoughts

CVE-2024-38202 is a classic example of a “user-in-the-middle” privilege escalation. Although not trivial to exploit, the risk rises where regular users can access or modify backup files, and where admins do not verify the integrity and origin of their backups. Take time now to audit your backup procedures, watch for suspicious restore operations, and tighten access rights wherever possible.

If you want to stay up to date, subscribe to Microsoft’s security notifications — it’s the fastest way to get word when the official fix is released.

Stay safe and secure!

*(This post is exclusive content providing simple, practical steps — not copied from elsewhere. For original MSRC text, see the links above.)*

Timeline

Published on: 08/08/2024 02:15:38 UTC
Last modified on: 08/08/2024 20:45:24 UTC