Patch Tuesday Roundup, October 2024

December Patch Tuesday reveals 70 vulnerabilities

October Patch Tuesday reveals 118 vulnerabilities, including multiple instances of wild exploits, while several products officially reach end of support.

Microsoft is addressing 118 vulnerabilities this October 2024 Patch Tuesday and has evidence of wild exploitation and/or public disclosure of five of the vulnerabilities published today (October 8), although it does not rate any of them as critical (yet).

Of those five, Microsoft lists two as exploited in the wild, and both are now listed on CISA KEV. Microsoft is also patching three other critical remote code execution (RCE) vulnerabilities, and three browser vulnerabilities already published separately this month are not included in the total.

Somewhat unusually, we will take a look at two of the three critical CERs published today. CVE-2024-43468 and CVE-2024-43582before moving on to the possibly somewhat less threatening zero-day vulnerabilities patched.

Microsoft Configuration Manager receives a patch for the only vulnerability published today by Microsoft with a CVSS base score of 9.8. Although Microsoft does not label it as publicly disclosed or exploited in the wild, the notice for CVE-2024-43468 appears to describe an unauthenticated, low-complexity, no-interaction network RCE against Microsoft Configuration Manager. Exploitation is achieved by sending specially crafted malicious requests and leads to code execution in the context of the Configuration Manager server or its underlying database. The relevant update is installed within the Configuration Manager console and requires specific administrator actions that Microsoft describes in detail in a generic series of articles. More information and several specific steps required are described in KB29166583.

Confusingly, this KB29166583 was first published over a month ago, on September 4, and then unpublished and republished on September 18, all without any mention of CVE-2024-43468, which was just published today and which KB29166583 apparently fixes. Advocates should carefully read the available documentation and probably re-read it just in case.

Any critical RCE of the RDP server is worth patching quickly. CVE-2024-43582 is a critical RCE prior to authentication on the Remote Desktop Protocol server. The exploit requires an attacker to send deliberately malformed packets to a Windows RPC host and leads to code execution in the context of the RPC service, although what this means in practice may depend on factors including RPC interface restriction configuration on the target asset. A positive side: the complexity of the attack is high since the attacker must win a race condition to access the memory incorrectly.

Who doesn’t love a good privilege escalation? Weary blue team members who see the words “publicly disclosed” on a new notice know the answer. CVE-2024-43583 describes a flaw in Winlogon that leads an attacker into the SYSTEM by abusing a third-party input method editor (IME) during the login process. the supplementary KB5046254 The article explains that the October 8 patches disable the non-Microsoft IME during the login process. On that basis, completely removing the third-party IME is a mitigation available to anyone who cannot apply the current patches immediately.

Reducing your attack surface is always worth considering, and removing third-party IMEs certainly does that. Anyone who needs to retain a third-party IME can still do so, but once today’s patches are applied, that third-party IME will be disabled (only in the context of the login process) to prevent exploitation of CVE-2024-43583. Although Microsoft does not explain this in detail, the only reasonable interpretation of the available information is that an asset without a Microsoft/own IME installed would remain vulnerable after applying the patch, since otherwise there would be no IME available when attempting to log in. Using third-party IMEs is more likely to be an issue in mixed language or non-English speaking contexts. The disclosure process around this vulnerability may not have been entirely simple; In September, one of the researchers credited with the discovery. expressed dissatisfaction with MSRC through X.

CVE-2024-20659 describes a publicly disclosed security feature omission in Hyper-V. Microsoft describes the exploit as less likely and highly complex. An attacker must be lucky and resourceful, as only UEFI-enabled hypervisors with certain unspecified hardware are vulnerable, and exploitation requires the coordination of a number of factors followed by a timely reboot. All of this after first gaining a foothold on the same network, although in this context this likely means access to a virtual machine on the target hypervisor, rather than another location on the same subnet. The reward for successful exploitation is the compromise of the hypervisor core.

CVE-2024-43573 is a phishing vulnerability exploited in the wild in MSHTML for which Microsoft also knows the working public exploit code; The advisory lists CWE-79 as the weakness, which results in cross-site scripting (XSS). The advisory is light on additional details, although Windows Server 2012/2012 R2 administrators who typically install Security Only updates should note that Microsoft recommends installing monthly rollups to ensure a fix in this case. CVSSv3’s low base score of 6.5 reflects the user interaction requirement and lack of impact on integrity or availability; A reasonable assumption could be that the exploitation leads to inappropriate disclosure of sensitive data, but no other direct effect on the target asset.

Microsoft is most famous for its closed source products, but it has cautiously softened its stance on open source over the last quarter century or so. Windows has included components of curl for almost seven years up to this point, along with several other open source components; Microsoft patches them from time to timealthough not always as fast as defenders would like. Today’s patches for CVE-2024-6197a publicly disclosed RCE vulnerability in cURL, continues that trend.

Microsoft’s notice for CVE-2024-6197 clarifies that Windows does not include libcurl, only the curl command line, but it is still vulnerable and therefore a fix is ​​possible. The exploit requires the user to connect to a malicious server controlled by the attacker, and code execution presumably occurs in the context of the user launching the curl CLI tool on the Windows asset. He cURL project advisory for CVE-2024-6197 was originally published on July 24 and offers more details from his perspective. Interestingly, the cURL project describes the most likely outcome of the exploitation as a crash and does not specifically mention RCE, although it is careful not to exclude the possibility of unspecified “more serious outcomes”, which could well mean RCE. Microsoft rates this vulnerability as Important, which is on track with the CVSS base score of 8.8.

CVE-2024-43572 Completes today’s five zero-day vulnerabilities and describes a low-complexity, no-user-interaction RCE in the Microsoft Management Console. Microsoft is aware of both public functional exploit code and wild exploitation. The vulnerability is exploited when a user downloads and opens a specially crafted malicious Microsoft Saved Console (MSC) file, so there is no suggestion here that Management Console is vulnerable via a network attack. The current patches prevent untrusted MSC files from being opened, although the advisory does not describe how Windows will know what is trusted and what is not. Microsoft has chosen to assign CVE-2024-43572 to CWE-70, which is a very broad category, the use of which is explicitly discouraged by MITER.

A third critical CER patched today will hopefully be less concerning than its siblings. CVE-2024-43488 is in the Visual Studio Code extension for Arduino, and Microsoft notes that the vulnerability documented by this CVE does not require any customer action to resolve. A reasonable question is: What does “no action required” really mean here? In the advisory, Microsoft claims to have fully mitigated the vulnerability and also that there is no plan to fix it. As confusing as it may seem, perhaps the most important takeaway here is that Microsoft is now issuing cloud services CVEs in a stated effort to improve transparency. It is not clear when the vulnerability was first introduced or when it was fixed, but still, this is a welcome expansion of details.

In Microsoft lifecycle news, today we see the end of support for Windows 11 22H2 for Home, Pro, Pro Education, Pro for Workstations and SE editionsas well as for Windows 11 21H2 for Education, Enterprise, and Enterprise multi-session editions. Server 2012 and Server 2012 R2 move to Year 2 of ESU. Windows Embedded POSReady (POS stands for Point of Sale) receives its final updates from ESU today, and that could be the last gasp for Windows 7 as a whole.

In addition to patching today’s critical RCE CVE-2024-43468, Intune administrators still using Configuration Manager 2303 should look to upgrade to a newer version immediately because support ends (unusually) on Thursday (October 10) this week.

Leave a Reply

Your email address will not be published. Required fields are marked *