Patch Tuesday Roundup, September 2024

December Patch Tuesday reveals 70 vulnerabilities

Rapid7 Principal Software Engineer Adam Barnett brings us up to speed on the latest vulnerabilities patched by Microsoft, and unfortunately, four are already being exploited in the wild.

Microsoft is addressing 79 vulnerabilities this September 2024 Patch Tuesday.

Microsoft has evidence of wild exploitation and/or public disclosure of four of the vulnerabilities published today (September 11); At the time of writing, all four are listed on CISA KEV. Microsoft is also patching four critical remote code execution (RCE) vulnerabilities today. Unusually, Microsoft has yet to patch any browser vulnerabilities this month.

At first glance, the most concerning vulnerability currently exploited in the wild is CVE-2024-43491, which describes a pre-authentication RCE vulnerability caused by a regression in the Windows services stack that has reverted fixes for several previous vulnerabilities affecting to optional components. The base score of CVSSv3.1 is 9.8, which is usually not good news. However, things are not as bad as they seem: the key takeaway here is that only Windows 10 version 1507 (Windows 10 Enterprise 2015 LTSB and Windows 10 IoT Enterprise 2015 LTSB) is affected. Additionally, Microsoft notes that while at least some of the accidentally unpatched vulnerabilities were known to have been exploited, they have not seen a natural exploitation of CVE-2024-43491, and the flaw was discovered by Microsoft. All in all, while there are certainly more than a few organizations still running Windows 10 version 1507, most administrators can breathe a sigh of relief with this one and then go back to worrying about everything else.

The Servicing Stack regression described by CVE-2024-43491 was introduced in the March 2024 patches. Those nostalgic few still running Windows 10 version 1507 should note that patches are required for both the Servicing Stack and the patch. normal Windows operating system released today and should be applied in that order. Microsoft does not specify which vulnerabilities were accidentally removed in March, although there is a significant list of affected optional components at the end of the FAQ, so potentially the set of vulnerabilities at play is quite long. Over time, an enthusiastic data miner could certainly compile a list of possible suspects. Microsoft also provided a high-level explanation of what went wrong: the March 2024 security patch build number for 1507 triggered a latent code defect in the services stack, and any optional components that were updated during this time was downgraded to the RTM version. . This may sound eerily similar to the Windows operating system downgrade attacks revealed at Black Hat USA 2024 last month, but there is obviously no substantial connection between the two. It’s very likely that someone at Microsoft headquarters is carefully reviewing other versions of Windows for similar flaws based on version ranges in the servicing stack.

The Mark-of-the-Web (MotW) security feature CVE-2024-38217 is not only known to be exploited, but is also publicly disclosed through an extensive article, with exploit code also available on GitHub. Beyond that, the discoverer points to VirusTotal samples dating back to 2018 to show that this has been abused for a long time. As is often the case with MotW bypass vulnerabilities, exploitation occurs when a user downloads and opens a specially crafted malicious file, which could then bypass the SmartScreen application’s reputation security check and/or legacy security message. of Windows Attached Services.

Next in today’s quartet of vulnerabilities exploited in the wild is CVE-2024-38014: an elevation of privilege vulnerability in Windows Installer. CVSSv3.1’s average base score of 7.8 aligns with Microsoft’s severity rating of important rather than critical. The exploit ensures code execution as SYSTEM and although the attack vector is local, this could be at least slightly attractive to malware authors as both attack complexity and privilege requirements are low and no user interaction. In this case, CWE-269: Inadequate Privilege Management likely describes a means of making Windows Installer be overly generous with the privileged access it requires to install software and configure the operating system. All current versions of Windows receive a fix, as does Server 2008, which Microsoft persists in patching from time to time out of the goodness of its heart, even though the end of official support was almost a year ago.

It’s been a while since we’ve talked about Microsoft Publisher, so today’s release of CVE-2024-38226 (a local security bypass feature for Office macro policy) gives us the opportunity to do so. The preview panel is not involved, and the description of the exploitation methodology in the FAQ is welcome, but somewhat unusual: an attacker must not only convince a user to download and open a malicious file, but must also be authenticated in the system itself. , although the FAQ doesn’t explain more.

Beyond the vulnerabilities that are known to have already been exploited or disclosed, we see three critical RCE vulnerabilities: two in SharePoint and one in the Windows NAT implementation.

Exploitation of the SharePoint RCE network vector CVE-2024-38018 requires an attacker to already have member permissions to the site, but since those aren’t exactly the crown jewels, the complexity of the attack is low and no user interaction is required. user, Microsoft rates this very reasonably. as a critic on its own proprietary severity scale, and expects exploitation to become more likely.

The second critical SharePoint RCE patched this month is CVE-2024-43464, which describes an untrusted data deserialization that leads to code execution in the context of SharePoint Server via specially crafted API calls after uploading a malicious file ; A mitigating factor is that the attacker must already have site owner permissions or better. This all sounds very similar to CVE-2024-30044, which Rapid7 wrote about in May 2024.

Rounding out this month’s RCE critical vulnerabilities is CVE-2024-38119, which describes a use-after-free flaw in Windows’ NAT implementation. The attack vector is listed as adjacent, so an attacker would need an existing foothold on the same network as the target asset before winning a race condition, raising the complexity of the attack to a high level. Although it appears to be a pre-clearance RCE, Microsoft considers exploitation less likely. For unknown reasons, Server 2012/2012 R2 does not receive a patch, although all newer supported Windows versions do.

After a couple of busy months in March and April 2024, all has been quiet on the Exchange front for quite some time, and this month extends that curious streak of luck.

There are no significant changes to Microsoft’s product lifecycle during September 2024, although anyone responsible for Azure Database for MySQL – Single Server has until the expiration date of September 16, 2024 to migrate to a supported service to avoid a involuntary forced migration and server unavailability. As Rapid7 noted last month, Visual Studio for Mac received its final patches on August 31, 2024. Additionally, on August 31, 2024, several legacy Azure services reached retirement, including Azure Cache for Redis in cloud services (classic). Major changes to the Windows 11 lifecycle will occur in October: release end date for versions 21H2 of Windows 11 Enterprise and Education, as well as release end date for versions 22H2 for other editions of Windows 11. Legacy software fans will already know that Server 2012 and 2012 R2 will move into the second year of the cash-for-upgrade Extended Security Update program in October.

Leave a Reply

Your email address will not be published. Required fields are marked *