Patch Tuesday November 2024

CVE-2024-49039 - 8.8 - Windows Task Scheduler Elevation of Privilege Vulnerability

Microsoft has released an official patch for this vulnerability because the exploit code found is functional and has been used in the wild.

The Windows Task Scheduler is a built-in utility in Microsoft Windows that allows organizations to automate and schedule tasks or scripts to run at specific times, during specific events, or under certain conditions. It enables users and administrators to automate repetitive tasks, making it easier to manage various operations on a computer or network.

While a POC has not been publicly released for this vulnerability, exploitation has been detected. An attacker can perform this exploit as a low-privileged AppContainer and effectively execute remote procedure calls (RPCs) that should be available only to privileged tasks. It is unclear what RPCs are affected here, but it could give an attacker access to elevate privileges and execute code on a remote machine, as well as the machine in which they are executing the vulnerability.

CVE-2024-5535 - 9.1 - OpenSSL: CVE-2024-5535 SSL_select_next_proto buffer overread

This OpenSSL vulnerability has been in OpenSSL since 2011 and has only recently been patched. Windows is releasing its fix for the Microsoft Defender Endpoint. It is rated 9.1 and has a few write-ups on the internet describing this vulnerability in depth. However, it does require the user to download a file from something like an email and have Defender “inspect” it to achieve code execution.

CVE-2024-43639 - 9.8 - Windows Kerberos Remote Code Execution Vulnerability

This is one of the most threatening CVEs from this patch release because it is related to Kerberos, an authentication protocol used heavily in Windows domain networks. The vulnerability allows an unauthenticated attacker to perform remote code execution against a vulnerable target inside a Windows domain.

Windows domains are used in the majority of enterprise networks, and by taking advantage of a cryptographic protocol vulnerability, an attacker can perform privileged acts on a remote machine within the network, potentially giving them eventual access to the domain controller, which is the goal for many attackers when attacking a domain.

CVE-2024-49033 - 7.5 - Microsoft Word Security Feature Bypass Vulnerability

This vulnerability targets Microsoft Office Protected View, allowing an attacker to bypass this security feature designed to protect users from potentially unsafe files. Protected View is a read-only mode that restricts editing and certain functionality in files downloaded from untrusted sources, such as email attachments or web links, to prevent malicious actions. By exploiting this vulnerability, an attacker could craft a malicious Word document capable of bypassing Protected View, enabling harmful actions to run on the victim’s machine if opened.

A successful attack requires several specific steps due to the high complexity of the environment-specific requirements, as indicated by a high CVSS Attack Complexity score (AC). Because user interaction is required (UI), the attacker cannot force the user to open the file; instead, they must convince the victim to click on the link and open the document, often using persuasive language or enticements.

If the user opens the crafted file, the protections of Protected View will be bypassed, potentially allowing malware to execute commands such as traditional VBA code and compromise the system. Depending on the attacker's objectives and the victim's environment, this could result in data exposure, unauthorized access to sensitive information, or broader system compromise.

CVE-2024-49019 - 7.8 - Active Directory Certificate Services Elevation of Privilege Vulnerability

This Active Directory Certificate Services (AD CS) elevation of privilege vulnerability allows an attacker to gain domain administrator privileges if successfully exploited. The vulnerability exists in managing certificates issued by a PKI (Public Key Infrastructure) environment using certain misconfigured certificate templates.

To determine if your PKI environment is vulnerable, check whether any certificates have been published using a version 1 certificate template where the source of the subject name is set to "Supplied in the request" and enroll permissions are granted to a broader group, such as domain users or domain computers. This is typically a misconfiguration, and certificates created from templates like the Web Server template could be affected. However, the Web Server template is not vulnerable by default because of its restricted enroll permissions.

The vulnerability targets certificates created using a version 1 certificate template with "supplied in the request" as the subject name source. If these templates are not properly secured — according to the best practices outlined in Microsoft's Securing Certificate Templates documentation — attackers can abuse the template’s permissions and elevate their privileges, potentially gaining domain administrator access.

This vulnerability has been slated as more likely to be exploited. Because it is related to Windows domains and is used heavily across enterprise organizations, it is very important to patch it and look for misconfigurations that could be left behind.

CVE-2024-43451 - 6.5 - NTLM Hash Disclosure Spoofing Vulnerability

This Microsoft Patch Tuesday release includes an NTLM Hash Disclosure Spoofing Vulnerability (CVE-2024-43451). Although tagged at a moderate severity level with a CVSS score of 6.5, it's important to note that details regarding this security vulnerability have been publicly disclosed, and instances of its exploitation have been confirmed. So users should take immediate action to mitigate potential risks.

Further, the Microsoft advisory released today outlines that the CVE-2024-43451 only needs minimal user interaction with a malicious file, which can include either clicking or inspecting it. This action could disclose a user's NTMLv2 hash to the attacker, potentially compromising confidentiality and allowing the hacker to authenticate as the user. The affected versions are all of the supported versions of Microsoft Windows.

CVE-2024-43642 – 7.5 - Windows SMB Denial of Service Vulnerability

Microsoft has flagged a new security vulnerability, CVE-2024-43642, in its Windows Server Message Block (SMB). SMB is a network protocol primarily used for sharing access to files, printers, serial ports, and other communications between nodes on a network. This vulnerability could potentially lead to a Denial of Service (DoS), which, if exploited, could disrupt the normal functioning of a service or system.

The vulnerability follows the 'Use-After-Free' threat model, categorized as CWE-416. It indicates that specific program operations could cause memory spaces to be improperly accessed after being freed. According to Microsoft's rubric, with a CVSS v3.1 score of 7.5/6.5, this vulnerability is assigned an 'Important' severity rating, pointing towards the potential for considerable affected system disruption and possible downtime.

CVE-2024-43602 – 9.9 – Azure CycleCloud Remote Code Execution Vulnerability

CVE-2024-43502 is related to Azure CycleCloud, an orchestration and management tool often used for High-Performance Computing (HPC). This vulnerability entails an instance of CWE-285: 'Improper Authorization' and carries a CVSS rating of 9.9/8.6. At the time of writing, Microsoft's exploitability assessment on this one is ‘Exploitation Less Likely’, albeit the attack complexity is outlined as Low. 

To exploit this vulnerability, an attacker with basic user permissions could send specially crafted requests to alter the configuration of an Azure CycleCloud cluster, thereby gaining root-level permissions. Consequently, the attacker could execute commands on any Azure CycleCloud cluster within the instance and, in specific scenarios, compromise administrative credentials. Despite this, the vulnerability is currently unexploited.