Patch Tuesday September 2024

CVE-2024-43491 - 9.8 - Microsoft Windows Update Remote Code Execution Vulnerability

Kev Breen, Senior Director Threat Research, Immersive Labs

Top of the list for patches this month is a CVE in the windows update mechanism. Tracked as CVE-2024-43491 this one comes in at a 9.8 out of 10 and is marked as “Exploitation Detected”. This specific vulnerability impacted the Windows update system in a way that security patches for some components were rolled back to a vulnerable state and will have remained in a vulnerable state since March 2024. Some of these components were known to be exploited in the wild in the past, meaning attackers could still exploit them despite Windows update saying it is fully patched. 

The root cause of this issue is that on specific versions of Windows 10, the build version numbers that are checked by the update service were not properly handled in the code. The notes from Microsoft say that the “build version numbers crossed into a range that triggered a code defect.” This implies that there was an integer overflow vulnerability that meant optional components were detected as “Not Applicable” and therefore reverted back to their original unpatched versions. 

There are a lot of caveats to this one, so it’s worth checking the Official Notes. The short version is that Some versions of Windows 10 with optional components enabled was left in a vulnerable state. 

CVE-2024-38217 - 5.4 - Windows Mark of the Web Security Feature Bypass Vulnerability

Kev Breen, Senior Director Threat Research, Immersive Labs

Mark of the Web (MoTW) has been a popular target for threat actors in recent months and this month is no different. Mark of the Web is a feature in Microsoft that tags files downloaded from the internet and if a user tries to run a file with this mark then the operating system will step in to warn or block the action from taking place. 

It is important to note that this vulnerability alone is not enough for an attacker to compromise a user’s workstation and would be used in conjunction with something like a spear phishing attack that delivers a malicious file. In-depth defence is the key mitigation here; organizations should not rely solely on features like Mark of the Web to protect them. 

To exploit this vulnerability, an attacker needs to host a specially crafted file on a web server and then socially engineering the user into opening the file typically by sending a link via email or message service.

CVE-2024-38014 - 7.8 - Windows Installer Elevation of Privilege Vulnerability

Ben McCarthy, Lead Cyber Security Engineer, Immersive Labs

This vulnerability has been exploited in the wild and has been assigned a CVSS score of 7.8. Much like many of the other Windows Installer elevation of privilege vulnerabilities such as the InstallerFileTakeOver vulnerability, when an attacker exploits it, they will gain full SYSTEM level privileges. As with many of the previous vulnerabilities that took advantage of the Windows Installer service, attackers will continue to use this vulnerability for the foreseeable future, therefore it is worth patching as soon as possible. 

Many of the versions this vulnerability affects is the new to release WIndows 11 24H2, however if you have any Copilot+ devices, they are now publicly available and will need to be patched to defend against this vulnerability. 

CVE-2024-38226 - 7.3 - Microsoft Publisher Security Feature Bypass Vulnerability

Ben McCarthy, Lead Cyber Security Engineer, Immersive Labs

This vulnerability has been exploited in the wild and has been assigned a CVSS score of 7.3. Due to this being a security feature bypass, threat actors will likely use this vulnerability as part of their attack chain in Microsoft Publisher phishing documents. An attack could bypass the Office suites macro warning which is used as a last line of defence for users to keep them from enabling macros in documents - a common attack method used by threat actors around the world. If this warning does not show the successful phishing attempts will likely increase. 

CVE-2024-38220 - 9.0 - Azure Stack Hub Elevation of Privilege Vulnerability

Ben McCarthy, Lead Cyber Security Engineer, Immersive Labs

Azure Stack Hub is a hybrid cloud platform from Microsoft that allows you to run Azure services from your own data center. It essentially extends Azure's public cloud capabilities to on-premises infrastructure, enabling organizations to build, deploy, and manage applications in a consistent way across both public and private clouds. This vulnerability means an attacker can gain unauthorized access to a business’s internal resources, content, and applications; however, it is required to be authenticated and also wait for a victim user to initiate a connection - likely by accident or through social engineering. 

CVE-2024-38241 & CVE-2024-38242 -- Kernel Streaming Service Driver Elevation of Privilege Vulnerability

Ben McCarthy, Lead Cyber Security Engineer, Immersive Labs

Kernel vulnerabilities like CVE-2024-38241 often arise due to flaws in low-level system components such as device drivers, including the Kernel Streaming Service Driver, which is responsible for handling audio and video streaming in Windows. The Windows kernel is a critical part of the operating system, managing core system resources and ensuring secure interactions between hardware and software. Vulnerabilities in the kernel or its drivers can be particularly dangerous because they typically run with high privileges, meaning that exploiting these flaws could allow attackers to bypass security controls, execute arbitrary code, or escalate their privileges to gain control over the entire system.

Kernel streaming service drivers, in particular, are designed to efficiently process and stream multimedia data, making them a common target for vulnerabilities due to their complexity and the need for real-time processing. Issues such as improper input validation (like in CVE-2024-38241) are common, where malicious inputs can be exploited to manipulate the kernel's behavior, leading to the elevation of privileges.