Patch Tuesday July 2024

CVE-2024-38080: Windows Hyper-V Elevation of Privilege Vulnerability (CVSS 7.8)

Kev Breen, Senior Director Threat Research, Immersive Labs

There is very little information available about this vulnerability. The only information Microsoft provides is: “an attacker who successfully exploited this vulnerability could gain SYSTEM privileges” and “exploitation detected”.

This means that threat actors are actively exploiting this vulnerability against organizations, making it a critical vulnerability to patch. Threat hunters would benefit from additional details to determine whether they’ve already been compromised by it.

CVE-2024-38023 & CVE-2024-38024: Microsoft SharePoint Server Remote Code Execution Vulnerability

Kev Breen, Senior Director Threat Research, Immersive Labs

A pair of patches for the SharePoint server should be high on the list to patch. While not actively being exploited, Microsoft has listed these as more likely to be exploited.

A mitigating factor is that an attacker must have authenticated access as a user with site owner permissions to take advantage of this vulnerability. It should be easy for threat hunters and network defenders to audit and proactively limit the attack surface.

The notes identify that to trigger the vulnerability, an attacker must upload a specially crafted file and then perform several HTTP requests against the SharePoint API to trigger a deserialization, gaining code execution on the underlying server.

CVE-2024-38112: Windows MSHTML Platform Spoofing Vulnerability (CVSS 7.5)

Rob Reeves, Principal Cyber Security Engineer, Immersive Labs

MSHTML (also known as Trident) is the proprietary browser engine of Microsoft's Internet Explorer web browser. This vulnerability has been actively exploited in the wild, but details are scarce – Microsoft only describes it as a “spoofing” vulnerability, which requires social engineering to convince a user to execute a delivered file.

The vulnerability likely might lead to remote code execution (RCE). Because of its linking to CWE-668: Exposure of Resource to Wrong Sphere, and in the event of successful exploitation, it could lead to a complete compromise of confidentiality, integrity, and availability.

The CVSS score of only 7.5 is because it’s difficult to exploit, possibly only due to the complexity of the attack itself. But without further information from Microsoft or the original reporter (Haifei Li from CheckPoint), it’s difficult to give specific guidance.

Exploitation also likely requires the use of an “attack chain” of exploits or programmatic changes on the target host, because of the description:

“Successful exploitation of this vulnerability requires an attacker to take additional actions prior to exploitation to prepare the target environment.”

Despite the lack of details in the initial advisory, this vulnerability affects all hosts from Windows Server 2008 R2 onwards, including clients. Due to active exploitation in the wild, this vulnerability should be prioritized for patching.

CVE-2024-38021: Microsoft Office Remote Code Execution Vulnerability

Kev Breen, Senior Director Threat Research, Immersive Labs

Another vulnerability high on the list of things to patch affects Microsoft Office, meaning the end user estate is vulnerable to exploitation, and the attack surface for threat actors is large.

All an attacker needs to do is send an email or instant message en-masse that contains a link to a site the attacker controls. If users click this specially crafted link, it will bypass the protected view protocol which can leak the user's NTLM credentials. This NTLM hash can be used like a password in a style of attack known as NTLM relay or pass the hash.

Suppose an attacker can gain access to this hash – they’d be able to authenticate to other services or even run commands remotely, gaining full access to the compromised host with the same permissions as the user clicking the link.