Patch Tuesday brings lots of chaff, a little buggy wheat too. Some CVE highlights to review.
One vulnerability bears a striking resemblance to an 0day that was actively exploited in the wild in November 2023.
We’re not too worried about Microsoft’s Patch Thursday, with just two critical CVEs from Redmond and none listed as under attack. Security fixes by Intel (including for firmware vulnerabilities) and SAP also deserve attention, but again; nothing known to be exploited on the immediate list.
Security researchers whose raison d'être is looking beyond any immediate headlines have been reviewing the latest tranche of bug-fixes in more detail. We've cherry-picked a few highlights worth attention below.
One vulnerability, notably, bears a striking resemblance to an 0day that was actively exploited in the wild in November 2023 – and likely as a result also deserves a swift fix before attackers reverse the patch.
More on that below.
Microsoft has also turned off the ability to insert a certain file format (FBX: 3D Model files generated by Autodesk) in Word, Excel, PowerPoint etc. over a remote code execution vulnerability. Potentially a niche concern, but still worth noting given the blanket action on this front.
Before more CVEs, an important side note: A whole host of Microsoft products transition from mainstream support to extended support today, for those paying for it. Think Exchange Server 2019, Hyper-V Server 2019, SharePoint Server 2019, Skype for Business 2019 (both client and server), Windows Server 2019, Dynamics SL 2018 and Project Server 2019, more.
Microsoft Dynamics CRM 2013, meanwhile, is now out of extended support. No ESU program is available, so admins must move to a newer version of Dynamics CRM to continue receiving security updates. (If you’re sitting on something out of support and not applying security mitigations, please do take a long hard long in the mirror and consider the risks…)
See also: One single UK government department is running 600+ unsupported applications
Adam Barnett from Rapid7 has some good thoughts on Microsoft’s patches. Here’s his take on one of the headline CVEs: “CVE-2024-20700 describes a remote code execution vulnerability in the Windows Hyper-V hardware virtualisation service. Microsoft ranks this vulnerability as critical under its own proprietary severity scale. However, the CVSS 3.1 base score of 7.5 equates only to high severity, reflecting the high attack complexity — attackers must win a race condition — and the requirement for the attack to be launched from the restricted network.
“The advisory is light on detail, so it isn’t clear exactly where the attacker must be located — the LAN on which the hypervisor resides, or a virtual network created and managed by the hypervisor — or in what context the remote code execution would occur. However, since Microsoft ranks the vulnerability as more severe than the CVSS score would suggest, defenders should assume that exploitation is possible from the same subnet as the hypervisor, and that code execution will occur in a SYSTEM context on the Hyper-V host” he noted in an emailed comment.
Kev Breen, Senior Director, Threat Research at Immersive Labs meanwhile flags CVE-2024-21310 (CVSS 7.8) as high on the list for patching.
This is, he notes, a “privilege escalation vulnerability in Cloud Files Mini Filter Driver. Listed as ‘exploitation more likely’ by Microsoft, this patch notes has striking similarities to CVE-2023-36036 [which in November 2023 was reported as actively exploited in the wild]... we expect threat actors already abusing the earlier CVE to move quickly on this one.”
Breen explains: “Mini Filters Drivers are also used by security products and EDRs, with each driver assigned an altitude that determines which logs are available to the applications. cldfly.sys has an altitude of 409500, whereas tools like procmon, sysmon, and EDR vendors are around the 365250 level. This classification means that – depending on the nature of the vulnerability and exploit – it could be missed by security tools. An example of this kind of evasion was recently showcased at Defcon.
“If an attacker exploited this vulnerability, they would gain SYSTEM-level privileges on the local machine. This type of privilege escalation step is frequently seen by threat actors in network compromises, as it can enable the attacker to disable security tools or run credential dumping tools like mimikatz that can then enable lateral movement or the compromise of domain accounts.”
The CVSS 9.0-rated CVE-2024-20674, a Windows Kerberos security feature bypass vulnerability has also attracted some attention, although Microsoft’s patch notes emphasise that an attacker would need existing access to the network in order to perform a machine-in-the-middle attack and send a malicious kerberos message to an unpatched client.
As the Zero Day Initiative puts it: “While this would certainly take some setting up, Microsoft does give the bug its highest exploitability index rating (1), which means they expect to see public exploit code within 30 days. Make sure to test and deploy this update quickly…”