National Cyber Warfare Foundation (NCWF)

Patch Tuesday - October 2024


0 user ratings
2024-10-08 21:34:22
milo
Red Team (CNA)
5 zero-days. Configuration Manager pre-auth RCE. RDP RPC pre-auth RPC. Winlogon EoP. Hyper-V container escape. curl o-day RCE late patch. Management console zero-day RCE. Windows 11 lifecycle changes.

Patch Tuesday - October 2024

Microsoft is addressing 118 vulnerabilities this October 2024 Patch Tuesday. Microsoft has evidence of in-the-wild exploitation and/or public disclosure for five of the vulnerabilities published today, although it does not rate any of these as critical (yet). Of those five, Microsoft lists two as exploited in the wild, and both of these are now listed on CISA KEV. Microsoft is also patching three further critical remote code execution (RCE) vulnerabilities today. Three browser vulnerabilities have already been published separately this month, and are not included in the total.

Somewhat unusually, we’ll take a look at two of the three critical RCEs published today — CVE-2024-43468 and CVE-2024-43582 — before moving on to the arguably somewhat-less- threatening zero-day vulnerabilities patched today.

Microsoft Configuration Manager: pre-auth RCE

Microsoft Configuration Manager receives a patch for the only vulnerability published by Microsoft today with a CVSS base score of 9.8. Although Microsoft doesn’t tag it as either publicly disclosed or exploited-in-the-wild, the advisory for CVE-2024-43468 appears to describe a no-interaction, low complexity, unauthenticated network RCE against Microsoft Configuration Manager. Exploitation is achieved by sending specially-crafted malicious requests, and leads to code execution in the context of the Configuration Manager server or its underlying database. The relevant update is installed within the Configuration Manager console, and requires specific administrator actions that Microsoft describes in detail in a generic series of articles. Further information and several specific required steps are described in KB29166583.

Confusingly, this KB29166583 was first published over a month ago on 2024-09-04, and was then subsequently unpublished and republished on 2024-09-18, all without any mention of CVE-2024-43468, which was published only today and which KB29166583 apparently remediates. Defenders should read the available documentation carefully, and then probably read it again for good measure.

RPD RPC: pre-auth RCE

Any RDP Server critical RCE is worth patching quickly. CVE-2024-43582 is a pre-auth critical RCE in the Remote Desktop Protocol Server. Exploitation requires an attacker to send deliberately-malformed packets to a Windows RPC host, and leads to code execution in the context of the RPC service, although what this means in practice may depend on factors including RPC Interface Restriction configuration on the target asset. One silver lining: attack complexity is high, since the attacker must win a race condition to access memory improperly.

Winlogon: zero-day EoP

Who doesn’t love a good elevation of privilege vulnerability? Weary blue teamers who see the words “publicly disclosed” on a brand-new advisory know the answer. CVE-2024-43583 describes a flaw in Winlogon which gets an attacker all the way to SYSTEM via abuse of a third-party Input Method Editor (IME) during the sign-on process. The supplementary KB5046254 article explains that the 2024-10-08 patches disable non-Microsoft IME during the sign-in process. On that basis, outright removal of third-party IME is a mitigation available to anyone who is not able to apply today’s patches immediately.

Attack surface reduction is always worth considering, and removal of third-party IMEs certainly accomplishes that. Anyone who needs to keep a third-party IME can still do so, but once today’s patches are applied, that third-party IME will be disabled — only in the context of the sign-in process — to prevent exploitation of CVE-2024-43583. Although Microsoft doesn’t quite spell it out, the only reasonable interpretation of the available information is that an asset with no first-party/Microsoft IME installed would remain vulnerable after patching, since otherwise no IME would be available when attempting to sign in. Use of third-party IME is more likely to be a concern in mixed-language or non-English-speaking contexts. The disclosure process around this vulnerability may not have been entirely smooth; back in September, one of the researchers credited with the discovery expressed discontent with MSRC via X-formerly-known-as-Twitter.

Hyper-V: zero-day container escape

CVE-2024-20659 describes a publicly-disclosed security feature bypass in Hyper-V. Microsoft describes exploitation as both less likely and highly complex. An attacker must be both lucky and resourceful, since only UEFI-enabled hypervisors with certain unspecified hardware are vulnerable, and exploitation requires coordination of a number of factors followed by a well-timed reboot. All this after first achieving a foothold on the same network — although in this context, this likely means access to a VM on the target hypervisor, rather than some other location on the same subnet. The prize for successful exploitation is compromise of the hypervisor kernel.

MSHTML: zero-day XSS

CVE-2024-43573 is an exploited-in-the-wild spoofing vulnerability in MSHTML for which Microsoft is also aware of functional public exploit code; the advisory lists CWE-79 as the weakness, which translates to cross-site scripting (XSS). The advisory is sparse on further detail, although Windows Server 2012/2012 R2 admins who typically install Security Only updates should note that Microsoft is encouraging installation of the Monthly Rollups to ensure remediation in this case. The low CVSSv3 base score of 6.5 reflects the requirement for user interaction and the lack of impact to integrity or availability; a reasonable assumption might be that exploitation leads to improper disclosure of sensitive data, but no other direct effect on the target asset.

cURL: zero-day RCE

Microsoft is most famous for its closed source products, but has cautiously softened its stance on open source considerably in the past quarter century or so. Windows has included components of cURL for almost seven years at this point, along with various other open source components; Microsoft does patch these from time to time, although not always as quickly as defenders might like. Today’s patches for CVE-2024-6197, a publicly-disclosed RCE vulnerability in cURL, continue that trend.

The Microsoft advisory for CVE-2024-6197 clarifies that Windows does not ship libcurl, only the curl command line, but that’s still vulnerable and thus in scope for a fix. Exploitation requires that the user connect to a malicious server controlled by the attacker, and code execution is presumably in the context of the user launching the curl CLI tool on the Windows asset. The cURL project advisory for CVE-2024-6197 was originally published on 2024-07-24, and offers further detail from their perspective. Interestingly, the cURL project describes the most likely outcome of exploitation as a crash, and does not specifically mention RCE, although it is careful not to exclude the possibility of unspecified “more serious results,” which could well mean RCE. Microsoft rates this vulnerability as important, which is on track with the CVSS base score of 8.8.

Management Console: zero-day RCE

CVE-2024-43572 rounds out today’s five zero-day vulnerabilities, and describes a low-complexity, no-user-interaction RCE in Microsoft Management Console. Microsoft is aware of both public functional exploit code and in-the-wild exploitation. The vulnerability is exploited when a user downloads and opens a specially-crafted malicious Microsoft Saved Console (MSC) file, so there’s no suggestion here that the Management Console is vulnerable via network attack. Today’s patches prevent untrusted MSC files from being opened, although the advisory does not describe how Windows will know what’s trusted and what isn’t. Microsoft has chosen to map CVE-2024-43572 to CWE-70, which is a very broad category, the use of which is explicitly discouraged by MITRE.

VS Code Arduino extension: cloud critical RCE

A third critical RCE patched today is hopefully less concerning than its siblings. CVE-2024-43488 is in the Visual Studio Code extension for Arduino, and Microsoft notes that the vulnerability documented by this CVE requires no customer action to resolve. A reasonable question is: what does “no action required” really mean here? Within the advisory, Microsoft both claims to have fully mitigated the vulnerability, and also that there is no plan to fix the vulnerability. As confusing as that all sounds, perhaps the most important takeaway here is that Microsoft is now issuing cloud service CVEs in a stated effort to improve transparency. It’s not clear when the vulnerability was first introduced or when it was remediated, but nevertheless the recent expansion into a whole new class of CVEs is a welcome step by Microsoft.

SharePoint: EoP to SYSTEM

A sparse advisory for CVE-2024-43503, which is an elevation of privilege vulnerability which leads to SYSTEM. Advisories for similar vulnerabilities typically describe the specific SharePoint privileges required, but this one does not, so a reasonable assumption might be that the requirement here is simply minimal Site Member privileges.

Microsoft lifecycle update

Today sees the end of support for Windows 11 22H2 for Home, Pro, Pro Education, Pro for Workstations, and SE editions, as well as for Windows 11 21H2 for Education, Enterprise, and Enterprise multi-session editions. Server 2012 and Server 2012 R2 pass into Year 2 of ESU. Windows Embedded POSReady — the POS stands for Point-of-Sale — receives its final ESU updates today, and that might just be the last gasp for Windows 7 as a whole. As well as patching today’s critical RCE CVE-2024-43468, Intune admins still using Configuration Manager 2303 should look to upgrade to a newer version immediately, because support ends (somewhat unusually) on Thursday this week.

Summary charts

Patch Tuesday - October 2024
Patch Tuesday - October 2024
Patch Tuesday - October 2024

Summary tables

Apps vulnerabilities





















CVETitleExploited?Publicly disclosed?CVSSv3 base score
CVE-2024-43604Outlook for Android Elevation of Privilege VulnerabilityNoNo5.7

Azure vulnerabilities










































CVETitleExploited?Publicly disclosed?CVSSv3 base score
CVE-2024-38179Azure Stack Hyperconverged Infrastructure (HCI) Elevation of Privilege VulnerabilityNoNo8.8
CVE-2024-43591Azure Command Line Integration (CLI) Elevation of Privilege VulnerabilityNoNo8.7
CVE-2024-38097Azure Monitor Agent Elevation of Privilege VulnerabilityNoNo7.1
CVE-2024-43480Azure Service Fabric for Linux Remote Code Execution VulnerabilityNoNo6.6

Browser vulnerabilities



































CVETitleExploited?Publicly disclosed?CVSSv3 base score
CVE-2024-9370Chromium: CVE-2024-9370 Inappropriate implementation in V8NoNoN/A
CVE-2024-9369Chromium: CVE-2024-9369 Insufficient data validation in MojoNoNoN/A
CVE-2024-7025Chromium: CVE-2024-7025 Integer overflow in LayoutNoNoN/A

Developer Tools vulnerabilities













































































CVETitleExploited?Publicly disclosed?CVSSv3 base score
CVE-2024-43488Visual Studio Code extension for Arduino Remote Code Execution VulnerabilityNoNo8.8
CVE-2024-43497DeepSpeed Remote Code Execution VulnerabilityNoNo8.4
CVE-2024-38229.NET and Visual Studio Remote Code Execution VulnerabilityNoNo8.1
CVE-2024-43590Visual C++ Redistributable Installer Elevation of Privilege VulnerabilityNoNo7.8
CVE-2024-43483.NET, .NET Framework, and Visual Studio Denial of Service VulnerabilityNoNo7.5
CVE-2024-43484.NET, .NET Framework, and Visual Studio Denial of Service VulnerabilityNoNo7.5
CVE-2024-43485.NET and Visual Studio Denial of Service VulnerabilityNoNo7.5
CVE-2024-43601Visual Studio Code for Linux Remote Code Execution VulnerabilityNoNo7.1
CVE-2024-43603Visual Studio Collector Service Denial of Service VulnerabilityNoNo5.5

ESU Windows vulnerabilities












































































































































































































































































































































































CVETitleExploited?Publicly disclosed?CVSSv3 base score
CVE-2024-38124Windows Netlogon Elevation of Privilege VulnerabilityNoNo9
CVE-2024-43518Windows Telephony Server Remote Code Execution VulnerabilityNoNo8.8
CVE-2024-43608Windows Routing and Remote Access Service (RRAS) Remote Code Execution VulnerabilityNoNo8.8
CVE-2024-43607Windows Routing and Remote Access Service (RRAS) Remote Code Execution VulnerabilityNoNo8.8
CVE-2024-38265Windows Routing and Remote Access Service (RRAS) Remote Code Execution VulnerabilityNoNo8.8
CVE-2024-43453Windows Routing and Remote Access Service (RRAS) Remote Code Execution VulnerabilityNoNo8.8
CVE-2024-38212Windows Routing and Remote Access Service (RRAS) Remote Code Execution VulnerabilityNoNo8.8
CVE-2024-43549Windows Routing and Remote Access Service (RRAS) Remote Code Execution VulnerabilityNoNo8.8
CVE-2024-43564Windows Routing and Remote Access Service (RRAS) Remote Code Execution VulnerabilityNoNo8.8
CVE-2024-43589Windows Routing and Remote Access Service (RRAS) Remote Code Execution VulnerabilityNoNo8.8
CVE-2024-43592Windows Routing and Remote Access Service (RRAS) Remote Code Execution VulnerabilityNoNo8.8
CVE-2024-43593Windows Routing and Remote Access Service (RRAS) Remote Code Execution VulnerabilityNoNo8.8
CVE-2024-43611Windows Routing and Remote Access Service (RRAS) Remote Code Execution VulnerabilityNoNo8.8
CVE-2024-43532Remote Registry Service Elevation of Privilege VulnerabilityNoNo8.8
CVE-2024-43599Remote Desktop Client Remote Code Execution VulnerabilityNoNo8.8
CVE-2024-43519Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution VulnerabilityNoNo8.8
CVE-2024-43517Microsoft ActiveX Data Objects Remote Code Execution VulnerabilityNoNo8.8
CVE-2024-43583Winlogon Elevation of Privilege VulnerabilityNoYes7.8
CVE-2024-38261Windows Routing and Remote Access Service (RRAS) Remote Code Execution VulnerabilityNoNo7.8
CVE-2024-43514Windows Resilient File System (ReFS) Elevation of Privilege VulnerabilityNoNo7.8
CVE-2024-43509Windows Graphics Component Elevation of Privilege VulnerabilityNoNo7.8
CVE-2024-43556Windows Graphics Component Elevation of Privilege VulnerabilityNoNo7.8
CVE-2024-43501Windows Common Log File System Driver Elevation of Privilege VulnerabilityNoNo7.8
CVE-2024-43563Windows Ancillary Function Driver for WinSock Elevation of Privilege VulnerabilityNoNo7.8
CVE-2024-43560Microsoft Windows Storage Port Driver Elevation of Privilege VulnerabilityNoNo7.8
CVE-2024-43572Microsoft Management Console Remote Code Execution VulnerabilityYesYes7.8
CVE-2024-38262Windows Remote Desktop Licensing Service Remote Code Execution VulnerabilityNoNo7.5
CVE-2024-43545Windows Online Certificate Status Protocol (OCSP) Server Denial of Service VulnerabilityNoNo7.5
CVE-2024-43521Windows Hyper-V Denial of Service VulnerabilityNoNo7.5
CVE-2024-43567Windows Hyper-V Denial of Service VulnerabilityNoNo7.5
CVE-2024-43541Microsoft Simple Certificate Enrollment Protocol Denial of Service VulnerabilityNoNo7.5
CVE-2024-43544Microsoft Simple Certificate Enrollment Protocol Denial of Service VulnerabilityNoNo7.5
CVE-2024-43515Internet Small Computer Systems Interface (iSCSI) Denial of Service VulnerabilityNoNo7.5
CVE-2024-43506BranchCache Denial of Service VulnerabilityNoNo7.5
CVE-2024-38149BranchCache Denial of Service VulnerabilityNoNo7.5
CVE-2024-43550Windows Secure Channel Spoofing VulnerabilityNoNo7.4
CVE-2024-43553NT OS Kernel Elevation of Privilege VulnerabilityNoNo7.4
CVE-2024-43535Windows Kernel-Mode Driver Elevation of Privilege VulnerabilityNoNo7
CVE-2024-37976Windows Resume Extensible Firmware Interface Security Feature Bypass VulnerabilityNoNo6.7
CVE-2024-37982Windows Resume Extensible Firmware Interface Security Feature Bypass VulnerabilityNoNo6.7
CVE-2024-37983Windows Resume Extensible Firmware Interface Security Feature Bypass VulnerabilityNoNo6.7
CVE-2024-37979Windows Kernel Elevation of Privilege VulnerabilityNoNo6.7
CVE-2024-43512Windows Standards-Based Storage Management Service Denial of Service VulnerabilityNoNo6.5
CVE-2024-43573Windows MSHTML Platform Spoofing VulnerabilityYesYes6.5
CVE-2024-43547Windows Kerberos Information Disclosure VulnerabilityNoNo6.5
CVE-2024-43534Windows Graphics Component Information Disclosure VulnerabilityNoNo6.5
CVE-2024-43570Windows Kernel Elevation of Privilege VulnerabilityNoNo6.4
CVE-2024-43513BitLocker Security Feature Bypass VulnerabilityNoNo6.4
CVE-2024-43520Windows Kernel Denial of Service VulnerabilityNoNo5
CVE-2024-43456Windows Remote Desktop Services Tampering VulnerabilityNoNo4.8

Mariner Windows vulnerabilities





















CVETitleExploited?Publicly disclosed?CVSSv3 base score
CVE-2024-6197Open Source Curl Remote Code Execution VulnerabilityNoYes8.8

Microsoft Office vulnerabilities
























































CVETitleExploited?Publicly disclosed?CVSSv3 base score
CVE-2024-43503Microsoft SharePoint Elevation of Privilege VulnerabilityNoNo7.8
CVE-2024-43505Microsoft Office Visio Remote Code Execution VulnerabilityNoNo7.8
CVE-2024-43576Microsoft Office Remote Code Execution VulnerabilityNoNo7.8
CVE-2024-43616Microsoft Office Remote Code Execution VulnerabilityNoNo7.8
CVE-2024-43504Microsoft Excel Remote Code Execution VulnerabilityNoNo7.8
CVE-2024-43609Microsoft Office Spoofing VulnerabilityNoNo6.5

SQL Server vulnerabilities




























CVETitleExploited?Publicly disclosed?CVSSv3 base score
CVE-2024-43612Power BI Report Server Spoofing VulnerabilityNoNo6.9
CVE-2024-43481Power BI Report Server Spoofing VulnerabilityNoNo6.5

System Center vulnerabilities




























CVETitleExploited?Publicly disclosed?CVSSv3 base score
CVE-2024-43468Microsoft Configuration Manager Remote Code Execution VulnerabilityNoNo9.8
CVE-2024-43614Microsoft Defender for Endpoint for Linux Spoofing VulnerabilityNoNo5.5

Windows vulnerabilities



























































































































































































































































































































CVETitleExploited?Publicly disclosed?CVSSv3 base score
CVE-2024-43533Remote Desktop Client Remote Code Execution VulnerabilityNoNo8.8
CVE-2024-43574Microsoft Speech Application Programming Interface (SAPI) Remote Code Execution VulnerabilityNoNo8.3
CVE-2024-43582Remote Desktop Protocol Server Remote Code Execution VulnerabilityNoNo8.1
CVE-2024-30092Windows Hyper-V Remote Code Execution VulnerabilityNoNo8
CVE-2024-43551Windows Storage Elevation of Privilege VulnerabilityNoNo7.8
CVE-2024-43516Windows Secure Kernel Mode Elevation of Privilege VulnerabilityNoNo7.8
CVE-2024-43528Windows Secure Kernel Mode Elevation of Privilege VulnerabilityNoNo7.8
CVE-2024-43527Windows Kernel Elevation of Privilege VulnerabilityNoNo7.8
CVE-2024-43584Windows Scripting Engine Security Feature Bypass VulnerabilityNoNo7.7
CVE-2024-43562Windows Network Address Translation (NAT) Denial of Service VulnerabilityNoNo7.5
CVE-2024-43565Windows Network Address Translation (NAT) Denial of Service VulnerabilityNoNo7.5
CVE-2024-38129Windows Kerberos Elevation of Privilege VulnerabilityNoNo7.5
CVE-2024-43575Windows Hyper-V Denial of Service VulnerabilityNoNo7.5
CVE-2024-38029Microsoft OpenSSH for Windows Remote Code Execution VulnerabilityNoNo7.5
CVE-2024-43552Windows Shell Remote Code Execution VulnerabilityNoNo7.3
CVE-2024-43529Windows Print Spooler Elevation of Privilege VulnerabilityNoNo7.3
CVE-2024-43502Windows Kernel Elevation of Privilege VulnerabilityNoNo7.1
CVE-2024-20659Windows Hyper-V Security Feature Bypass VulnerabilityNoYes7.1
CVE-2024-43581Microsoft OpenSSH for Windows Remote Code Execution VulnerabilityNoNo7.1
CVE-2024-43615Microsoft OpenSSH for Windows Remote Code Execution VulnerabilityNoNo7.1
CVE-2024-43522Windows Local Security Authority (LSA) Elevation of Privilege VulnerabilityNoNo7
CVE-2024-43511Windows Kernel Elevation of Privilege VulnerabilityNoNo7
CVE-2024-43525Windows Mobile Broadband Driver Remote Code Execution VulnerabilityNoNo6.8
CVE-2024-43526Windows Mobile Broadband Driver Remote Code Execution VulnerabilityNoNo6.8
CVE-2024-43543Windows Mobile Broadband Driver Remote Code Execution VulnerabilityNoNo6.8
CVE-2024-43523Windows Mobile Broadband Driver Remote Code Execution VulnerabilityNoNo6.8
CVE-2024-43524Windows Mobile Broadband Driver Remote Code Execution VulnerabilityNoNo6.8
CVE-2024-43536Windows Mobile Broadband Driver Remote Code Execution VulnerabilityNoNo6.8
CVE-2024-43537Windows Mobile Broadband Driver Denial of Service VulnerabilityNoNo6.5
CVE-2024-43538Windows Mobile Broadband Driver Denial of Service VulnerabilityNoNo6.5
CVE-2024-43540Windows Mobile Broadband Driver Denial of Service VulnerabilityNoNo6.5
CVE-2024-43542Windows Mobile Broadband Driver Denial of Service VulnerabilityNoNo6.5
CVE-2024-43555Windows Mobile Broadband Driver Denial of Service VulnerabilityNoNo6.5
CVE-2024-43557Windows Mobile Broadband Driver Denial of Service VulnerabilityNoNo6.5
CVE-2024-43558Windows Mobile Broadband Driver Denial of Service VulnerabilityNoNo6.5
CVE-2024-43559Windows Mobile Broadband Driver Denial of Service VulnerabilityNoNo6.5
CVE-2024-43561Windows Mobile Broadband Driver Denial of Service VulnerabilityNoNo6.5
CVE-2024-43546Windows Cryptographic Information Disclosure VulnerabilityNoNo5.6
CVE-2024-43571Sudo for Windows Spoofing VulnerabilityNoNo5.6
CVE-2024-43500Windows Resilient File System (ReFS) Information Disclosure VulnerabilityNoNo5.5
CVE-2024-43554Windows Kernel-Mode Driver Information Disclosure VulnerabilityNoNo5.5
CVE-2024-43508Windows Graphics Component Information Disclosure VulnerabilityNoNo5.5
CVE-2024-43585Code Integrity Guard Security Feature Bypass VulnerabilityNoNo5.5



Source: Rapid7
Source Link: https://blog.rapid7.com/2024/10/08/patch-tuesday-october-2024/


Comments
new comment
Nobody has commented yet. Will you be the first?
 
Forum
Red Team (CNA)



Copyright 2012 through 2024 - National Cyber Warfare Foundation - All rights reserved worldwide.