On the second Tuesday of each month, Microsoft release their security patches for vulnerabilities found in their products. Each month, Immersive Labs' Cyber Threat Research Team review these patch notes for any standout vulnerabilities. You can find their thoughts and findings here.
CVE-2024-30080 -- Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability
Kev Breen, Senior Director Threat Research, Immersive Labs
With no “actively exploited in the wild" patches announced by Microsoft there are still a number of patches that should be applied sooner rather than later. One on this list is CVE-2024-30080 a remote code execution vulnerability in Microsoft Message Queuing (MSMQ) with a score of 9.8 on CVSS. This is a CRITICAL CVE to patch.
It is important to note that MSMQ is not a default service on Windows, so the patch can be focused on those servers running the service. If organizations are not able to patch quickly, then check firewall configurations to limit access to trusted sources. A Shodan search for MSMQ reveals there are a few thousand potentially internet-facing MSSQ servers that could be vulnerable to zero-day attacks if not patched quickly.
This one will be of high value to attackers as it is a remote, unauthenticated attack over the network or internet that will give threat actors the ability to run other commands to compromise the server further and move laterally within the network. This is not the first time we have seen attackers exploit MSMQ, such as with QueueJumper in 2023, indicating it could be easier for threat actors to quickly replicate this vulnerability and exploit it at scale.
CVE-2024-30085 -- Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
Kev Breen, Senior Director Threat Research, Immersive Labs
High on the list for patching should be CVE-2024-30085, a privilege escalation vulnerability in Cloud Files Mini Filter Driver. Listed as “exploitation more likely” by Microsoft. The limited notes released by Microsoft do not provide any details however the description is identical to CVE-2023-36036 a vulnerability in “Cloud Files Mini Filter” that was actively exploited by threat actors.
If an attacker exploited this vulnerability, they would gain SYSTEM-level privileges on the local machine. This type of privilege escalation step is frequently seen by threat actors in network compromises, as it can enable the attacker to disable security tools or run credential dumping tools like mimikatz that can then enable lateral movement or the compromise of domain accounts.
CVE-2024-30097 - 8.8 - Microsoft Speech Application Programming Interface (SAPI) Remote Code Execution Vulnerability
Ben McCarthy, Lead Cyber Security Engineer, Immersive Labs
This vulnerability has been deemed a remote code vulnerability, meaning the attacker can run commands on a machine they are not operating. The tricky aspect of this vulnerability is that it requires a user in an authenticated client to click a link. The link could be sent through a phishing attack and because it doesn’t require the user to download anything on their computer, so the chances of a successful phishing attack are a bit higher than normal. The vulnerability is considered double-free, which can be quite an unstable type of vulnerability because the memory in which the attacked process resides usually has to be massaged in a way to make it vulnerable to remote code execution. This potentially affects the reliability of the vulnerability and could cause denial of service more times than remote code execution.
CVE-2024-30099 - 7.0 - Windows Kernel Elevation of Privilege Vulnerability
Ben McCarthy, Lead Cyber Security Engineer, Immersive Labs
This vulnerability is particularly interesting because Microsoft has stated that it is located in the NT OS kernel and is on the “exploitation more likely” list. Vulnerabilities of the actual NT kernel are not that common, it is generally kernel issues in the software built around the NT OS that holds the kernel vulnerabilities. Here, a race condition can be achieved, meaning that when the kernel thinks it is operating on a certain value – in between the time it checks to see if that value is valid and when it actually operates on the value – an attacker can change the value to support their attack. This vulnerability should be on everyone’s patch list due to it being so central to the operating system.
CVE-2024-35250, CVE-2024-30084, CVE-2024-30064, CVE-2024-30068, CVE-2024-35250 - Windows Kernel Elevation of Privilege Vulnerability
Ben McCarthy, Lead Cyber Security Engineer, Immersive Labs
There are a number of kernel-related vulnerabilities that lead to the elevation of privilege when an attacker has access to a machine. These sorts of vulnerabilities are usually added to sophisticated hackers' attack toolkits where they can run these vulnerabilities if they get access as a regular user on a machine. These sorts of vulnerabilities are often what attackers will try to weaponize after the patch day is released so it is always wise to patch kernel-related vulnerabilities because successful exploitation of these vulnerabilities mean they get complete access to a computer's resources and run as SYSTEM privileges.
CVE-2024-30078 - 8.8 - Windows Wi-Fi Driver Remote Code Execution Vulnerability CVE-2024-30074 - 8.0 - Windows Link Layer Topology Discovery Protocol Remote Code Execution Vulnerability
Ben McCarthy, Lead Cyber Security Engineer, Immersive Labs
These are really interesting vulnerabilities because they are some of the few where the attacker has to be in the physical proximity of a device to attack it. These vulnerabilities require the attacker to be able to send a malicious network packet to a system that has a Wi-Fi adapter like most laptops. You could see these sorts of vulnerabilities being used when people are working in public places like a café, or airport lounge. For people travelling with Windows on their laptops, it is highly recommended to patch these vulnerabilities.
Immerser
Immerser