December Patch Tuesday reveals 70 vulnerabilities

Patch Tuesday Recap, October 2024

October Patch Tuesday reveals 118 vulnerabilities, including several cases of exploitation in the wild, while several products officially reach the end of support.

Microsoft fixes 118 vulnerabilities this year Patch Tuesday October 2024 and has evidence of exploitation in the wild and/or public disclosure for five of the vulnerabilities released today (October 8), although it does not consider any of them critical (yet).

Of these five, Microsoft lists two as being exploited in the wild, and both are now listed on CISA KEV. Microsoft also fixes three other critical remote code execution (RCE) vulnerabilities, and three browser vulnerabilities already released separately this month are not included in the total.

Quite unusually, we will look at two of the three critical RCEs released today, CVE-2024-43468 And CVE-2024-43582before moving on to patched zero-day vulnerabilities, arguably a little less threatening.

Microsoft Configuration Manager receives a patch for the only vulnerability Microsoft released today with a CVSS base score of 9.8. Although Microsoft does not call it publicly disclosed or exploited in the wild, the notice regarding CVE-2024-43468 appears to describe an unauthenticated, non-interactive, low complexity network RCE, relative to Microsoft Configuration Manager. Exploitation is carried out by sending specially crafted malicious requests and leads to code execution in the context of the Configuration Manager server or its underlying database. The corresponding update is installed in the Configuration Manager console and requires specific administrator actions that Microsoft describes in detail in a generic series of articles. Further information and several specific required steps are described in KB29166583.

Confusingly, this KB29166583 was first published over a month ago on September 4, then was subsequently unpublished and republished on September 18, all without any mention of CVE-2024-43468, which was only released today and which KB29166583 apparently fixes. Advocates should read the available documentation carefully, and then probably re-read it for good measure.

Any critical RCE of the RDP server is worth fixing quickly. CVE-2024-43582 is a critical pre-authentication RCE in the Remote Desktop Protocol server. The exploit requires an attacker to send deliberately malformed packets to a Windows RPC host and leads to code execution in the context of the RPC service, although what this means in practice may depend on factors including Configuring RPC interface restrictions on the target asset. A positive side: the complexity of the attack is high since the attacker must win a race condition to inappropriately access memory.

Who doesn’t love a good escalation of privilege and vulnerability? Weary blue teams who see the words “publicly disclosed” on a brand new notice know the answer. CVE-2024-43583 describes a flaw in Winlogon that leads an attacker to the SYSTEM via abuse of a third-party input method editor (IME) during the login process. The supplement KB5046254 The article explains that the October 8 patches disable the non-Microsoft IME during the login process. Based on this, outright removal of the third-party IME is a mitigation measure available to anyone who is unable to immediately apply today’s patches.

Reducing the attack surface is always worth considering, and removing third-party IMEs certainly achieves that. Anyone who needs to maintain a third-party IME can still do so, but once today’s patches are applied, that third-party IME will be disabled – only in the context of the login process – to prevent exploitation of CVE-2024-43583. Although Microsoft doesn’t quite explain it, the only reasonable interpretation of the available information is that an asset without a proprietary/Microsoft IME installed would remain vulnerable after applying the patch, because otherwise no IME would be available when attempting connection. Using third-party IMEs is more likely to be problematic in multilingual or non-English contexts. The process of disclosing this vulnerability may not have been entirely smooth; in September, one of the researchers credited with the discovery expressed his dissatisfaction with the MSRC via X.

CVE-2024-20659 describes a publicly disclosed security feature workaround in Hyper-V. Microsoft describes the exploitation as both less likely and very complex. An attacker must be both lucky and resourceful, because only UEFI-enabled hypervisors with certain unspecified hardware are vulnerable, and their exploitation requires the coordination of a number of factors followed by a well-timed reboot. All this after gaining a foothold on the same network, although in this context that probably means access to a VM on the target hypervisor, rather than another location on the same subnet. The price of successful exploitation is compromise of the hypervisor core.

CVE-2024-43573 is a wild-exploited spoofing vulnerability in MSHTML for which Microsoft also knows working public exploit code; The advisory lists CWE-79 as a weakness, which results in cross-site scripting (XSS). The advisory is light on detail, although Windows Server 2012/2012 R2 administrators who typically install security-only updates should note that Microsoft encourages the installation of monthly rollups to ensure patching in this case. The low CVSSv3 base score of 6.5 reflects the requirement for user interaction and lack of impact on integrity or availability; a reasonable assumption might be that the exploitation results in inappropriate disclosure of sensitive data, but has no other direct effect on the target asset.

Microsoft is best known for its closed-source products, but it has cautiously softened its stance on open source significantly over the past quarter century. Windows included components of loop for almost seven years at this point, with various other open source components; Microsoft fixes them from time to timebut not always as quickly as defenders would like. Today’s fixes for CVE-2024-6197a publicly revealed RCE vulnerability in cURL, continues this trend.

Microsoft’s advice for CVE-2024-6197 points out that Windows does not provide libcurl, only the curl command line, but this is still vulnerable and therefore likely to be fixed. The exploit requires the user to connect to a malicious server controlled by the attacker, and code execution likely takes place in the context of the user launching the curl CLI tool on the Windows asset. THE cURL draft notice for CVE-2024-6197 was originally published on July 24 and offers more details from their perspective. Interestingly, the cURL project describes the most likely outcome of exploitation as a crash and does not specifically mention RCE, although it is careful not to rule out the possibility of unspecified “more serious outcomes.” , which could well mean the RCE. Microsoft considers this vulnerability significant, which is in line with the CVSS base score of 8.8.

CVE-2024-43572 complements the five current zero-day vulnerabilities and describes a low-complexity RCE with no user interaction in the Microsoft Management Console. Microsoft is aware of both public working exploit code and exploitation in the wild. The vulnerability is exploited when a user downloads and opens a specially crafted malicious Microsoft Saved Console (MSC) file. So there is no suggestion here that the management console is vulnerable via a network attack. Today’s fixes prevent opening untrusted MSC files, although the advisory does not describe how Windows will know what is reliable and what is not. Microsoft chose to map CVE-2024-43572 to CWE-70, which is a very broad category whose use is explicitly discouraged by MITER.

A third critical RCE patched today is hopefully less concerning than its siblings. CVE-2024-43488 is found in the Visual Studio Code extension for Arduino, and Microsoft notes that the vulnerability documented by this CVE does not require any customer action to resolve. A reasonable question is: what does “no action required” actually mean here? In the advisory, Microsoft claims both to have fully mitigated the vulnerability and that there are no plans to patch the vulnerability. As confusing as it may seem, perhaps the most important takeaway here is that Microsoft now publishes CVEs for cloud services in a stated effort to improve transparency. It’s unclear when the vulnerability was first introduced or when it was patched, but it’s a welcome expansion of details nonetheless.

In the news of the Microsoft life cycle, today we see the end of support for Windows 11 22H2 for Home, Pro, Pro Education, Pro for Workstations and SE editionsas well as for Windows 11 21H2 for Education, Business, and Enterprise multi-session editions. Server 2012 and Server 2012 R2 are moving into ESU Year 2. Windows Embedded POSReady (POS stands for Point-of-Sale) is receiving its latest ESU updates today, and this might just be the last gasp for Windows 7 as a whole.

In addition to fixing today’s critical RCE CVE-2024-43468, Intune admins still using Configuration Manager 2303 should immediately consider upgrading to a newer version, as support ends (rather unusually) on Thursday (October 10) this week.

New crypto mixer promises to be a crime-free tornado

New crypto mixer promises to be a crime-free tornado

The mystery vehicle at the heart of Tesla's new master plan

The mystery vehicle at the heart of Tesla’s new master plan

Leave a Reply

Your email address will not be published. Required fields are marked *