December Patch Tuesday reveals 70 vulnerabilities

November Patch Tuesday reveals 90 vulnerabilities

Microsoft fixes 90 vulnerabilities this year November 2024 Tuesday Patchwith evidence of exploitation in the wild and/or public disclosure of four of the vulnerabilities released today (November 12). However, as with last month’s batch, it does not (yet) rate any of these zero-day vulnerabilities as critical severity.

Of these four, two are listed as wild exploited, and both are now listed on LPCC KEV. Microsoft is aware of some level of public disclosure of three critical vulnerabilities and is currently patching two other critical remote code execution (RCE) vulnerabilities. Two browser vulnerabilities have already been released separately this month and are not included in the total.

CVE-2024-49019 Describes an elevation of privilege vulnerability in Active Directory Certificate Services. Although the vulnerability only affects assets with the Windows Active Directory Certificate Services role, an attacker who successfully exploited this vulnerability could gain domain administrator privileges, which does not offer much comfort. Unsurprisingly, given the potential cost to attackers, Microsoft believes future exploitation is more likely.

Vulnerable PKI environments are those that include published certificates created using a certificate model version 1 with the subject name source set to “provided in request” and record the permissions granted to a broader set of accounts. Microsoft obviously does not provide any way to determine the version of the certificate template used to create a certificate. However, the advisory offers recommendations for anyone interested in securing certificate templates.

There is a significant history of research and exploitation of Active Directory certificate services, including the widely discussed Certified pre-owned seriesand the discovering researchers have now added more to this corpus, labeling CVE-2024-49019 like ESC15. In keeping with another long-standing tradition in information security, the researcher provided a fun vulnerability name for a celebrity – in this case, EKUwu, a portmanteau of EKU (extended key usage) and UwU, an emoticon representing a pretty face – as part of their study. detailed and insightful article.

Given the CVSSv3 base score of 6.0, one could almost be forgiven for overlooking CVE-2024-43451which describes an NTLM hash disclosure spoofing vulnerability in the MSHTML platform, which powers Internet Explorer. However, public disclosure and exploitation in the wild is still worth a look. Although the exploit requires the user to interact with a malicious file, a successful attacker receives the user’s NTLMv2 hash and can then use it to authenticate as the user.

Microsoft has undoubtedly made a mark CVE-2024-43451 correctly according to the CVSSv3.1 specification. However, although the Microsoft CVSSv3 vector describes an impact only on confidentiality, if an attacker can authenticate as a user after exploitation, there is now additional potential for further impact on integrity and availability ; If we take into account this potential indirect effect, the CVSSv3 base score would look more like 8.8, which is the kind of number where alarm bells typically start ringing for many defenders.

As another sting in the tail, the advisory FAQ describes required user interaction as minimal: left-click, right-click, or even the very non-specific “perform an action other than opening or running an application.” [the file]”. There is certainly long-term exploitation potential here, especially in environments where the patching cadence is more relaxed.

The complete Windows catalog from Server 2025 and Windows 11 24H2 up to Server 2008 receives fixes for CVE-2024-43451. Like Rapid7 did previously notedMSHTML (also known as Trident) is still fully present in Windows – and unpatched assets are therefore vulnerable – whether or not Internet Explorer 11 is disabled for a Windows asset.

It’s been a few months since we last saw security patches for Exchange, but that streak is now broken by a zero-day vulnerability. Email server administrators should pay attention to CVE-2024-49040which is a publicly disclosed spoofing vulnerability. The specific weakness is CWE-451: User Interface (UI) Distortion of Critical Informationwhich is often associated with phishing attacks, as well as browser vulnerabilities, and can describe a wide range of criminal acts, from visual truncation to user interface overlay to homograph abuse. Microsoft does not yet claim to be aware of any exploitation in the wild.

The notice for CVE-2024-49040 suggests that post-remediation actions may be necessary for correction of CVE-2024-49040and links to additional information in a separate article titled “Exchange Server RFC non-compliant P2 FROM header detection“. A careful reading of the article does not appear to list required actions after applying the patch; Instead, there is an optional additional mitigation policy action around Exchange transport rules, as well as a detailed and encouraging explanation of the protection offered by the current patches.

The article shows that an Exchange-connected email client like Outlook can display a fake sender as if it were legitimate, which we can all agree is not a good result. Attackers don’t need to look far to find other vulnerabilities to follow up with this one, as today’s Zero Day vulnerability CVE-2024-43451 is definitely an option. On the other hand, let’s take a moment to appreciate the title of the Exchange team’s blog: “You Had Me at EHLO“.

Fixes for CVE-2024-49040 are available for Exchange 2019 CU13 and CU14, as well as Exchange 2016 CU23. It’s worth remembering that Exchange 2016 and 2019 have an extended end date of 10/14/2025, less than a year from now; this despite the fact that the successor to 2016 and 2019, which Microsoft unsubtly calls Exchange Server Subscription Edition, is not expected to be released until early 2025 Q3. Many administrators would undoubtedly prefer a longer upgrade window.

The researcher who reported CVE-2024-49040 also discovered a way to impersonate Microsoft corporate email accounts earlier this year, but made its findings public after Microsoft rejected its report; it appears the relationship has been at least somewhat restored.

Windows Task Scheduler facilitates all kinds of useful results, and if you’re a bad actor, it now offers one more: privilege escalation via CVE-2024-49039. Microsoft is aware of exploitation in the wild. Considering the low complexity of the attack and the low privilege requirements, the lack of user interaction, the high impact on the CIA triad and the modification of the scope, it is not It’s no surprise that the CVSSv3 base score is a relatively spicy 8.8.

However, Windows elevation of privilege vulnerabilities are always more interesting to attackers when they lead directly to SYSTEM privileges, but that is not the case here. The attacker in this scenario starts in a Low-privilege AppContainer sandboxand exploitation via a malicious application provides medium integrity privilegeswhich is equivalent to a regular non-administrator user of the system.

Yet every step forward for a threat actor is a step back for defenders.

This month brings fixes for CVE-2024-43498a critical RCE in .NET 9.0 with a CVSSv3 base score of 9.8, which is so rarely a harbinger of good news. Exploitation can mean compromising a desktop application by loading a malicious file, but more worryingly, it can also describe RCE in the context of a vulnerable .NET web application via a specially crafted request. Microsoft believes the exploitation is less likely, but nothing in the advisory obviously supports this assessment, since it is a low-complexity network attack, requiring neither privileges nor user interaction. CVE-2024-43498 surely deserves an immediate fix. It’s also never a bad idea to look into other protection options, especially for services exposed to the Internet.

The notice for CVE-2024-43639 describes a critical RCE in Kerberos with a CVSSv3 base score of 89.8, but not in great detail. The FAQ explains that an unauthenticated attacker could use a specially designed application to exploit a cryptographic protocol vulnerability in Windows Kerberos to remotely execute code on the target, but without providing much information about the target or context precise execution of the code. The only safe assumption here is that code execution occurs in a highly privileged context on a server, which handles key authentication tasks.

Correct accordingly.

Britain's controversial online safety law is now law

Britain’s controversial online safety law is now law

Citing Hamas, US wants to treat crypto 'mixers' as suspected money launderers

Citing Hamas, US wants to treat crypto ‘mixers’ as suspected money launderers

Leave a Reply

Your email address will not be published. Required fields are marked *