November Patch Tuesday reveals 90 vulnerabilities

December Patch Tuesday reveals 70 vulnerabilities

Microsoft is addressing 90 vulnerabilities this November 2024 Patch Tuesdaywith evidence of wild exploitation and/or public disclosure of four of the vulnerabilities published today (November 12). However, as with last month’s batch, it doesn’t assess any of these zero-day vulnerabilities as critical severity (yet).

Of those four, two are listed as exploited in the wild, and both are now listed CISA KEV. Microsoft is aware of some level three public disclosures and is patching two other critical remote code execution (RCE) vulnerabilities. Two browser vulnerabilities have already been published separately this month and are not included in the total.

CVE-2024-49019 describes an elevation of privilege vulnerability in Active Directory Certificate Services. While the vulnerability only affects assets with the Windows Active Directory Certificate Services feature, an attacker who successfully exploits this vulnerability could gain domain administrator privileges, so that doesn’t offer much convenience. Unsurprisingly, given the potential prize for attackers, Microsoft considers future exploitation more likely.

Vulnerable PKI environments are those that include published certificates created using a certificate template version 1 with the subject name source set to “provided in request” and enroll permissions granted to a broader set of accounts. Obviously, Microsoft does not provide any means to determine the version of the certificate template used to create a certificate. However, the notice offers recommendations for anyone looking to obtain certificate templates.

There is a significant history of research and exploitation of Active Directory certificate services, including the widely discussed Certified Used Seriesand the discovering researchers have now added more to that corpus, labeling CVE-2024-49019 like ESC15. In keeping with another long-standing information security tradition, the researcher has provided a fun name for a celebrity vulnerability (in this case, EKUwu, an acronym for EKU (extended key usage) and UwU, an emoticon representing a cute face) as part of your detailed and insightful writing.

Given CVSSv3’s base score of 6.0, one could almost be forgiven for overlooking CVE-2024-43451which describes an NTLM hash disclosure spoofing vulnerability in the MSHTML platform, which powered Internet Explorer. However, it is always worth paying attention to public disclosure and exploitation in the wild. Although the exploit requires the user to interact with a malicious file, a successful attacker receives the user’s NTLMv2 hash and can then use it to authenticate as the user.

You could say that Microsoft has noted CVE-2024-43451 correctly according to CVSSv3.1 Specification. However, although Microsoft’s CVSSv3 vector describes an impact only on confidentiality, if an attacker is able to authenticate as a user after exploitation, there is now greater potential for subsequent impact on integrity and availability; If we take that potential indirect effect into account, the CVSSv3 base score would look more like 8.8, which is the kind of number where alarm bells typically start ringing for many advocates.

As another drawback, the warning FAQ describes the required user interaction as minimal: left-click, right-click, or even the highly non-specific “perform an action other than open or run.” [the file]”. There’s certainly potential for a long exploit tail here, especially in environments with a more relaxed patch cadence.

The entire Windows catalog from Server 2025 and Windows 11 24H2 to Server 2008 receives patches for CVE-2024-43451. As Rapid7 has previously notedMSHTML (aka Trident) is still fully present on Windows (and therefore unpatched assets are vulnerable) regardless of whether a Windows asset has Internet Explorer 11 disabled or not.

It’s been a few months since we’ve seen security patches for Exchange, but the streak is now broken with a zero-day vulnerability. Mail server administrators should pay attention to CVE-2024-49040which is a publicly disclosed phishing vulnerability. The specific weakness is CWE-451: User Interface (UI) Misrepresentation of Critical Informationwhich is often associated with phishing attacks as well as browser vulnerabilities, and can describe a wide range of misdeeds, from visual truncation and UI overlaying to homograph abuse. Microsoft does not yet claim to have knowledge of the wild exploitation.

The notice for CVE-2024-49040 suggests that post-patching actions may be required to correct the issue. CVE-2024-49040and links to more information in a separate article titled “P2 FROM header detection not supported by Exchange Server RFC”. A close reading of the article does not appear to list any mandatory actions after applying the patch; instead, there is an optional additional strategic mitigation action around Exchange transport rules, as well as a detailed and encouraging explanation of the protection offered by the current patches.

The article shows that an Exchange-connected email client, such as Outlook, can display a spoofed sender as if it were legitimate, which we all agree is not a good result. Attackers don’t have to look far to find other vulnerabilities to chain with this one, as today’s sister zero-day vulnerability CVE-2024-43451 It is certainly an option. On the other hand, let’s take a moment to appreciate the title of the Exchange team blog: “You had me in mind EHLO”.

Patches for CVE-2024-49040 They are available for Exchange 2019 CU13 and CU14, as well as Exchange 2016 CU23. It’s worth remembering that both Exchange 2016 and 2019 have an extended end date of 2025-10-14, which is now less than a year away; this despite the fact that the successor for 2016 and 2019, which Microsoft subtly calls Exchange Server Subscription Edition, will not be released until early third quarter of 2025. No doubt many administrators would prefer a longer update window.

The researcher who reported CVE-2024-49040 also discovered a means to impersonate Microsoft corporate email accounts earlier this year, but made its findings public after Microsoft dismissed its report; It seems that the relationship has been repaired at least a little.

Windows Task Scheduler provides all sorts of useful results, and if you’re a threat actor, it now offers one more: escalation of privileges via CVE-2024-49039. Microsoft is aware of the exploitation in nature. Given the low complexity of the attack and low privilege requirements, the lack of user interaction, the high impact on the entire CIA triad, and the change in scope, it is not surprising that the CVSSv3 base score results in a relatively enthusiastic 8.8.

However, Windows elevation of privilege vulnerabilities are always more interesting to attackers when they lead directly to SYSTEM privileges, but that is not the case here. The attacker in this scenario starts in a AppContainer sandbox with few privilegesand exploitation through a malicious application provides medium integrity level privilegeswhich is the same as a normal non-administrative user of the system.

Still, every step forward for a threat actor is a step back for defenders.

This month brings patches for CVE-2024-43498a critical RCE in .NET 9.0 with a CVSSv3 base score of 9.8, which is rarely a harbinger of good news. Exploitation could mean compromising a desktop application by uploading a malicious file, but more worryingly, it could also describe RCE in the context of a vulnerable .NET web application through a specially crafted request. Microsoft assesses the exploit as less likely, but there is nothing in the advisory that obviously supports that assessment, as this is a low-complexity network attack, requiring no privileges or user interaction. CVE-2024-43498 It’s certainly worthy of an immediate patch. It’s also not a bad idea to review other protection options, especially for services exposed to the Internet.

The notice for CVE-2024-43639 describes a critical RCE in Kerberos with a CVSSv3 base score of 89.8, although not in great detail. The FAQ explains that an unauthenticated attacker could use a specially crafted application to exploit a cryptographic protocol vulnerability in Windows Kerberos to perform remote code execution against the target, but without providing much information about the target or the precise context of the attack. code execution. The only safe assumption here is that the code execution is done in a highly privileged context on a server, which handles key authentication tasks.

Patch accordingly.

Leave a Reply

Your email address will not be published. Required fields are marked *