Category: Vulnerability Management

Patch Tuesday - November 2024

Microsoft is addressing 90 vulnerabilities this November 2024 Patch Tuesday. Microsoft has evidence of in-the-wild exploitation and/or public disclosure for four of the vulnerabilities published today, although as with last month’s batch, it does not evaluate any of these zero-day vulnerabilities as critical severity (yet). Of those four, Microsoft lists two as exploited in the wild, and both of these are now listed on CISA KEV. Microsoft is aware of some level of public disclosure for three. Microsoft is also patching two further critical remote code execution (RCE) vulnerabilities today. Two browser vulnerabilities have already been published separately this month, and are not included in the total.

Active Directory Certificate Service: zero-day EoP aka EKUwu

CVE-2024-49019 describes an elevation of privilege vulnerability in Active Directory Certificate Services. While the vulnerability only affects assets with the Windows Active Directory Certificate Services role, an attacker who successfully exploits this vulnerability could gain domain admin privileges, so that doesn’t offer much comfort. Unsurprisingly, given the potential prize for attackers, Microsoft assesses future exploitation as more likely. Vulnerable PKI environments are those which include published certificates created using a version 1 certificate template with the source of subject name set to "Supplied in the request" and Enroll permissions granted to a broader set of accounts. Microsoft does not obviously provide any means of determining the certificate template version used to create a certificate, although the advisory does offer recommendations for anyone hoping to secure certificate templates.

There is a significant history of research and exploitation of Active Directory Certificate Services, including the widely-discussed Certified Pre-Owned series, and the discovering researchers have now added further to that corpus, tagging CVE-2024-49019 as ESC15. In keeping with another long-standing infosec tradition, the researcher has provided a fun celebrity vulnerability name — in this case, EKUwu, a portmanteau of EKU (Extended Key Usage) and UwU, an emoticon representing a cute face — as part of their detailed and insightful write-up.

MSHTML: zero-day NTLMv2 hash disclosure

Given the CVSSv3 base score of 6.0, one might almost be forgiven for overlooking CVE-2024-43451, which describes an NTLM hash disclosure spoofing vulnerability in the MSHTML platform which powered Internet Explorer. However, public disclosure and in-the-wild exploitation are always worth a look. Although exploitation requires that the user interact with a malicious file, a successful attacker receives the user’s NTLMv2 hash, and can then use that to authenticate as the user.

Microsoft has arguably scored CVE-2024-43451 correctly according to the CVSSv3.1 specification. However, although the Microsoft CVSSv3 vector describes an impact only to confidentiality, if an attacker can authenticate as the user post-exploitation, a further potential for subsequent impact to integrity and availability now exists; if we take that potential indirect effect into account, the CVSSv3 base score would look more like 8.8, which is the sort of number where alarm bells typically start ringing for many defenders. As a further sting in the tail, the advisory FAQ describes the required user interaction as minimal: left click, right click, or even the highly non-specific “performing an action other than opening or executing [the file]”. There’s certainly the potential for a long tail of exploitation here, especially in environments with more relaxed patching cadence.

The complete Windows catalog from Server 2025 and Windows 11 24H2 all the way back to Server 2008 receives patches for CVE-2024-43451. As Rapid7 has previously noted, MSHTML (also known as Trident) is still fully present in Windows — and unpatched assets are thus vulnerable — regardless of whether or not a Windows asset has Internet Explorer 11 disabled.

Exchange: zero-day sender spoofing

It’s been a few months since we’ve seen any security patches for Exchange, but the streak is now broken with a zero-day vulnerability. Mailserver admins should be paying attention to CVE-2024-49040, which is a publicly disclosed spoofing vulnerability. The specific weakness is CWE-451: User Interface (UI) Misrepresentation of Critical Information, which is often associated with phishing attacks, as well as browser vulnerabilities, and can describe a wide range of misdeeds, from visual truncation and UI overlay to homograph abuse. Microsoft does not yet claim knowledge of in-the-wild exploitation.

The advisory for CVE-2024-49040 hints that post-patching actions may be required for remediation of CVE-2024-49040, and links to further information in a separate article titled “Exchange Server non-RFC compliant P2 FROM header detection”. A careful read of the article doesn’t appear to list any mandatory post-patching actions; instead, there is an optional extra mitigation strategy action around Exchange Transport Rules, as well as an encouragingly detailed explanation of the protection offered by today’s patches. The article showcases that an Exchange-connected email client such as Outlook might display a forged sender as if it were legitimate, which we can all agree is not a good outcome. Attackers don’t have to look far to find other vulnerabilities to chain with this one, since today’s sibling zero-day vulnerability CVE-2024-43451 is certainly an option. On the other hand, let’s take a moment to appreciate the Exchange team’s blog title: “You Had Me at EHLO”.

Patches for CVE-2024-49040 are available for Exchange 2019 CU13 and CU14, as well as Exchange 2016 CU23. It’s worth remembering that both Exchange 2016 and 2019 have an extended end date of 2025-10-14, which is now less than a year away; this despite the fact that the successor for 2016 and 2019, which Microsoft is unsubtly branding as Exchange Server Subscription Edition, isn’t due for release until early in 2025 Q3. Many admins would no doubt prefer a longer upgrade window.

The researcher who reported CVE-2024-49040 also discovered a means to impersonate Microsoft corporate email accounts earlier this year, but went public with his findings after Microsoft dismissed his report; it appears that the relationship has been at least somewhat repaired.

Task Scheduler: zero-day EoP (but not SYSTEM)

Windows Task Scheduler facilitates all sorts of useful outcomes, and if you’re a threat actor, it now offers one more: elevation of privilege via CVE-2024-49039. Microsoft is aware of exploitation in the wild. Given the low attack complexity and low privileges requirement, no requirement for user interaction, high impact across the CIA triad, and changed scope, it’s no surprise that the CVSSv3 base score comes out as a relatively zesty 8.8. However, Windows elevation of privilege vulnerabilities are always most exciting for attackers when they lead directly to SYSTEM privileges, but that’s not the case here. The attacker in this scenario starts out in a low-privileged AppContainer sandbox, and exploitation via a malicious app provides medium integrity level privileges, which is the same as a regular non-administrative user on the system. Still, every step forward for a threat actor is a step back for defenders.

.NET: critical RCE

This month brings patches for CVE-2024-43498, a critical RCE in .NET 9.0 with a CVSSv3 base score of 9.8, which is so seldom a harbinger of good news. Exploitation might mean compromise of a desktop application by loading a malicious file, but most concerningly could also describe RCE in the context of a vulnerable .NET webapp via a specially crafted request. Microsoft assesses exploitation as less likely, but there’s nothing on the advisory which obviously supports that assessment, since this is a low-complexity network attack which requires neither privileges nor user interaction. CVE-2024-43498 is surely worthy of immediate patching. It’s also never a bad idea to review other options for protection, especially for internet-exposed services.

Kerberos: critical RCE

The advisory for CVE-2024-43639 describes a critical RCE in Kerberos with a CVSSv3 base score of 89.8, although not in great detail. The FAQ explains that an unauthenticated attacker could use a specially crafted application to leverage a cryptographic protocol vulnerability in Windows Kerberos to perform remote code execution against the target, but without providing much information about the target or the precise context of code execution. The only safe assumption here is that code execution is in a highly-privileged context on a server which handles key authentication tasks. Patch accordingly.

Microsoft lifecycle update

In Microsoft lifecycle news, the most notable change is the arrival of Windows Server 2025 as a General Availability product at the start of November. Microsoft has announced a number of new features in Server 2025, which we will look forward to discussing in more detail in future editions of this blog.

At the other end of the lifecycle continuum, .NET 6.0 receives its final scheduled updates today; as .NET 6.0 is/was a Long Term Support (LTS) version, and .NET 7.0 is already beyond end of life, the only current upgrade path is to .NET 8.0.

Summary charts

Patch Tuesday - November 2024
Patch Tuesday - November 2024
Patch Tuesday - November 2024
SQL server dominating the heatmap, but it's mostly a group of closely-related client vulns.

Summary tables

Apps vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-49051 Microsoft PC Manager Elevation of Privilege Vulnerability No No 7.8

Azure vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-43602 Azure CycleCloud Remote Code Execution Vulnerability No No 9.9
CVE-2024-49056 Airlift.microsoft.com Elevation of Privilege Vulnerability No No 7.3
CVE-2024-49042 Azure Database for PostgreSQL Flexible Server Extension Elevation of Privilege Vulnerability No No 7.2
CVE-2024-43613 Azure Database for PostgreSQL Flexible Server Extension Elevation of Privilege Vulnerability No No 7.2

Browser vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-10827 Chromium: CVE-2024-10827 Use after free in Serial No No N/A
CVE-2024-10826 Chromium: CVE-2024-10826 Use after free in Family Experiences No No N/A

Developer Tools vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-43498 .NET and Visual Studio Remote Code Execution Vulnerability No No 9.8
CVE-2024-49050 Visual Studio Code Python Extension Remote Code Execution Vulnerability No No 8.8
CVE-2024-43499 .NET and Visual Studio Denial of Service Vulnerability No No 7.5
CVE-2024-49049 Visual Studio Code Remote Extension Elevation of Privilege Vulnerability No No 7.1
CVE-2024-49044 Visual Studio Elevation of Privilege Vulnerability No No 6.7

ESU Windows vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-43639 Windows Kerberos Remote Code Execution Vulnerability No No 9.8
CVE-2024-43627 Windows Telephony Service Remote Code Execution Vulnerability No No 8.8
CVE-2024-43628 Windows Telephony Service Remote Code Execution Vulnerability No No 8.8
CVE-2024-43620 Windows Telephony Service Remote Code Execution Vulnerability No No 8.8
CVE-2024-43621 Windows Telephony Service Remote Code Execution Vulnerability No No 8.8
CVE-2024-43622 Windows Telephony Service Remote Code Execution Vulnerability No No 8.8
CVE-2024-43635 Windows Telephony Service Remote Code Execution Vulnerability No No 8.8
CVE-2024-49046 Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability No No 7.8
CVE-2024-43626 Windows Telephony Service Elevation of Privilege Vulnerability No No 7.8
CVE-2024-43641 Windows Registry Elevation of Privilege Vulnerability No No 7.8
CVE-2024-43623 Windows NT OS Kernel Elevation of Privilege Vulnerability No No 7.8
CVE-2024-43644 Windows Client-Side Caching Elevation of Privilege Vulnerability No No 7.8
CVE-2024-43636 Win32k Elevation of Privilege Vulnerability No No 7.8
CVE-2024-49019 Active Directory Certificate Services Elevation of Privilege Vulnerability No Yes 7.8
CVE-2024-43452 Windows Registry Elevation of Privilege Vulnerability No No 7.5
CVE-2024-43450 Windows DNS Spoofing Vulnerability No No 7.5
CVE-2024-43634 Windows USB Video Class System Driver Elevation of Privilege Vulnerability No No 6.8
CVE-2024-43637 Windows USB Video Class System Driver Elevation of Privilege Vulnerability No No 6.8
CVE-2024-43638 Windows USB Video Class System Driver Elevation of Privilege Vulnerability No No 6.8
CVE-2024-43643 Windows USB Video Class System Driver Elevation of Privilege Vulnerability No No 6.8
CVE-2024-43449 Windows USB Video Class System Driver Elevation of Privilege Vulnerability No No 6.8
CVE-2024-43451 NTLM Hash Disclosure Spoofing Vulnerability Yes Yes 6.5
CVE-2024-38203 Windows Package Library Manager Information Disclosure Vulnerability No No 6.2

Mariner System Center vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-5535 OpenSSL: CVE-2024-5535 SSL_select_next_proto buffer overread No No 9.1

Microsoft Office vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-49031 Microsoft Office Graphics Remote Code Execution Vulnerability No No 7.8
CVE-2024-49032 Microsoft Office Graphics Remote Code Execution Vulnerability No No 7.8
CVE-2024-49026 Microsoft Excel Remote Code Execution Vulnerability No No 7.8
CVE-2024-49027 Microsoft Excel Remote Code Execution Vulnerability No No 7.8
CVE-2024-49028 Microsoft Excel Remote Code Execution Vulnerability No No 7.8
CVE-2024-49029 Microsoft Excel Remote Code Execution Vulnerability No No 7.8
CVE-2024-49030 Microsoft Excel Remote Code Execution Vulnerability No No 7.8
CVE-2024-49033 Microsoft Word Security Feature Bypass Vulnerability No No 7.5

Open Source Software vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-49048 TorchGeo Remote Code Execution Vulnerability No No 8.1
CVE-2024-43598 LightGBM Remote Code Execution Vulnerability No No 7.5

SQL Server vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-38255 SQL Server Native Client Remote Code Execution Vulnerability No No 8.8
CVE-2024-43459 SQL Server Native Client Remote Code Execution Vulnerability No No 8.8
CVE-2024-43462 SQL Server Native Client Remote Code Execution Vulnerability No No 8.8
CVE-2024-48994 SQL Server Native Client Remote Code Execution Vulnerability No No 8.8
CVE-2024-48995 SQL Server Native Client Remote Code Execution Vulnerability No No 8.8
CVE-2024-48996 SQL Server Native Client Remote Code Execution Vulnerability No No 8.8
CVE-2024-48993 SQL Server Native Client Remote Code Execution Vulnerability No No 8.8
CVE-2024-48997 SQL Server Native Client Remote Code Execution Vulnerability No No 8.8
CVE-2024-48998 SQL Server Native Client Remote Code Execution Vulnerability No No 8.8
CVE-2024-48999 SQL Server Native Client Remote Code Execution Vulnerability No No 8.8
CVE-2024-49000 SQL Server Native Client Remote Code Execution Vulnerability No No 8.8
CVE-2024-49001 SQL Server Native Client Remote Code Execution Vulnerability No No 8.8
CVE-2024-49002 SQL Server Native Client Remote Code Execution Vulnerability No No 8.8
CVE-2024-49003 SQL Server Native Client Remote Code Execution Vulnerability No No 8.8
CVE-2024-49004 SQL Server Native Client Remote Code Execution Vulnerability No No 8.8
CVE-2024-49005 SQL Server Native Client Remote Code Execution Vulnerability No No 8.8
CVE-2024-49007 SQL Server Native Client Remote Code Execution Vulnerability No No 8.8
CVE-2024-49006 SQL Server Native Client Remote Code Execution Vulnerability No No 8.8
CVE-2024-49008 SQL Server Native Client Remote Code Execution Vulnerability No No 8.8
CVE-2024-49009 SQL Server Native Client Remote Code Execution Vulnerability No No 8.8
CVE-2024-49010 SQL Server Native Client Remote Code Execution Vulnerability No No 8.8
CVE-2024-49011 SQL Server Native Client Remote Code Execution Vulnerability No No 8.8
CVE-2024-49012 SQL Server Native Client Remote Code Execution Vulnerability No No 8.8
CVE-2024-49013 SQL Server Native Client Remote Code Execution Vulnerability No No 8.8
CVE-2024-49014 SQL Server Native Client Remote Code Execution Vulnerability No No 8.8
CVE-2024-49015 SQL Server Native Client Remote Code Execution Vulnerability No No 8.8
CVE-2024-49016 SQL Server Native Client Remote Code Execution Vulnerability No No 8.8
CVE-2024-49017 SQL Server Native Client Remote Code Execution Vulnerability No No 8.8
CVE-2024-49018 SQL Server Native Client Remote Code Execution Vulnerability No No 8.8
CVE-2024-49043 Microsoft.SqlServer.XEvent.Configuration.dll Remote Code Execution Vulnerability No No 7.8
CVE-2024-49021 Microsoft SQL Server Remote Code Execution Vulnerability No No 7.8

Server Software vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-49040 Microsoft Exchange Server Spoofing Vulnerability No Yes 7.5

Windows vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-49039 Windows Task Scheduler Elevation of Privilege Vulnerability Yes No 8.8
CVE-2024-43624 Windows Hyper-V Shared Virtual Disk Elevation of Privilege Vulnerability No No 8.8
CVE-2024-43447 Windows SMBv3 Server Remote Code Execution Vulnerability No No 8.1
CVE-2024-43625 Microsoft Windows VMSwitch Elevation of Privilege Vulnerability No No 8.1
CVE-2024-43530 Windows Update Stack Elevation of Privilege Vulnerability No No 7.8
CVE-2024-43640 Windows Kernel-Mode Driver Elevation of Privilege Vulnerability No No 7.8
CVE-2024-43630 Windows Kernel Elevation of Privilege Vulnerability No No 7.8
CVE-2024-43629 Windows DWM Core Library Elevation of Privilege Vulnerability No No 7.8
CVE-2024-43642 Windows SMB Denial of Service Vulnerability No No 7.5
CVE-2024-43631 Windows Secure Kernel Mode Elevation of Privilege Vulnerability No No 6.7
CVE-2024-43646 Windows Secure Kernel Mode Elevation of Privilege Vulnerability No No 6.7
CVE-2024-43645 Windows Defender Application Control (WDAC) Security Feature Bypass Vulnerability No No 6.7
CVE-2024-43633 Windows Hyper-V Denial of Service Vulnerability No No 6.5
CVE-2024-38264 Microsoft Virtual Hard Disk (VHDX) Denial of Service Vulnerability No No 5.9
Fortinet FortiManager CVE-2024-47575 Exploited in Zero-Day Attacks

On Wednesday, October 23, 2024, security company Fortinet published an advisory on CVE-2024-47575, a critical zero-day vulnerability affecting their FortiManager network management solution. The vulnerability arises from a missing authentication for a critical function [CWE-306] in the FortiManager fgfmd daemon that allows a remote unauthenticated attacker to execute arbitrary code or commands via specially crafted requests. The vulnerability carries a CVSS v3 score of 9.8.

Fortinet’s advisory notes that CVE-2024-47575 has been “reported” as exploited in the wild. Rapid7 customers have also reported receiving communications from service providers indicating the vulnerability may have been exploited in their environments. According to the vendor, “The identified actions of this attack in the wild have been to automate via a script the exfiltration of various files from the FortiManager which contained the IPs, credentials and configurations of the managed devices.” Rapid7 strongly recommends reviewing the vendor advisory for indicators of compromise and mitigation strategies.

Background

Since roughly October 13, there have been private industry discussions and a number of public posts on Reddit, Twitter, and Mastodon about a rumored zero-day vulnerability in FortiManager. Public Reddit conversations indicated that Fortinet contacted some of their customers by email circa October 15 to “privately disclose” a FortiManager vulnerability and advise on mitigations. Despite embargoed communications and the publication of several news articles, neither a public advisory nor a CVE was issued until October 23.

On the evening of October 22, high-profile cybersecurity researcher Kevin Beaumont published a blog alleging that a state-sponsored adversary has been using this FortiManager zero-day vulnerability in espionage attacks. While Fortinet’s advisory doesn’t include any information about specific adversaries exploiting the vulnerability, Fortinet devices have long been popular targets for state-sponsored threat actors.

Mitigation guidance

Per Fortinet’s advisory, the following versions of FortiManager are vulnerable to CVE-2024-47575 and have mitigation guidance available:

  • FortiManager 7.6.0
  • FortiManager 7.4.0 through 7.4.4
  • FortiManager 7.2.0 through 7.2.7
  • FortiManager 7.0.0 through 7.0.12
  • FortiManager 6.4.0 through 6.4.14
  • FortiManager Cloud 7.4.1 through 7.4.4
  • FortiManager Cloud 7.2 (all versions)
  • FortiManager Cloud 7.0 (all versions)
  • FortiManager Cloud 6.4 (all versions)

The advisory indicates FortiManager Cloud 7.6 is not affected.

FortiManager customers should update to a supported, fixed version on an emergency basis, without waiting for a regular patch cycle to occur. See the vendor advisory for the latest list of fixed versions. A workaround is also available for some versions.

Fortinet’s advisory also includes a list of indicators of compromise (IOCs) that FortiManager customers should look for in their environments.

Rapid7 customers

InsightVM and Nexpose customers will be able to assess their exposure to CVE-2024-47575 with an authenticated check expected to be available in the Wednesday, October 23 content release.

Patch Tuesday - October 2024

Microsoft is addressing 118 vulnerabilities this October 2024 Patch Tuesday. Microsoft has evidence of in-the-wild exploitation and/or public disclosure for five of the vulnerabilities published today, although it does not rate any of these as critical (yet). Of those five, Microsoft lists two as exploited in the wild, and both of these are now listed on CISA KEV. Microsoft is also patching three further critical remote code execution (RCE) vulnerabilities today. Three browser vulnerabilities have already been published separately this month, and are not included in the total.

Somewhat unusually, we’ll take a look at two of the three critical RCEs published today — CVE-2024-43468 and CVE-2024-43582 — before moving on to the arguably somewhat-less- threatening zero-day vulnerabilities patched today.

Microsoft Configuration Manager: pre-auth RCE

Microsoft Configuration Manager receives a patch for the only vulnerability published by Microsoft today with a CVSS base score of 9.8. Although Microsoft doesn’t tag it as either publicly disclosed or exploited-in-the-wild, the advisory for CVE-2024-43468 appears to describe a no-interaction, low complexity, unauthenticated network RCE against Microsoft Configuration Manager. Exploitation is achieved by sending specially-crafted malicious requests, and leads to code execution in the context of the Configuration Manager server or its underlying database. The relevant update is installed within the Configuration Manager console, and requires specific administrator actions that Microsoft describes in detail in a generic series of articles. Further information and several specific required steps are described in KB29166583.

Confusingly, this KB29166583 was first published over a month ago on 2024-09-04, and was then subsequently unpublished and republished on 2024-09-18, all without any mention of CVE-2024-43468, which was published only today and which KB29166583 apparently remediates. Defenders should read the available documentation carefully, and then probably read it again for good measure.

RPD RPC: pre-auth RCE

Any RDP Server critical RCE is worth patching quickly. CVE-2024-43582 is a pre-auth critical RCE in the Remote Desktop Protocol Server. Exploitation requires an attacker to send deliberately-malformed packets to a Windows RPC host, and leads to code execution in the context of the RPC service, although what this means in practice may depend on factors including RPC Interface Restriction configuration on the target asset. One silver lining: attack complexity is high, since the attacker must win a race condition to access memory improperly.

Winlogon: zero-day EoP

Who doesn’t love a good elevation of privilege vulnerability? Weary blue teamers who see the words “publicly disclosed” on a brand-new advisory know the answer. CVE-2024-43583 describes a flaw in Winlogon which gets an attacker all the way to SYSTEM via abuse of a third-party Input Method Editor (IME) during the sign-on process. The supplementary KB5046254 article explains that the 2024-10-08 patches disable non-Microsoft IME during the sign-in process. On that basis, outright removal of third-party IME is a mitigation available to anyone who is not able to apply today’s patches immediately.

Attack surface reduction is always worth considering, and removal of third-party IMEs certainly accomplishes that. Anyone who needs to keep a third-party IME can still do so, but once today’s patches are applied, that third-party IME will be disabled — only in the context of the sign-in process — to prevent exploitation of CVE-2024-43583. Although Microsoft doesn’t quite spell it out, the only reasonable interpretation of the available information is that an asset with no first-party/Microsoft IME installed would remain vulnerable after patching, since otherwise no IME would be available when attempting to sign in. Use of third-party IME is more likely to be a concern in mixed-language or non-English-speaking contexts. The disclosure process around this vulnerability may not have been entirely smooth; back in September, one of the researchers credited with the discovery expressed discontent with MSRC via X-formerly-known-as-Twitter.

Hyper-V: zero-day container escape

CVE-2024-20659 describes a publicly-disclosed security feature bypass in Hyper-V. Microsoft describes exploitation as both less likely and highly complex. An attacker must be both lucky and resourceful, since only UEFI-enabled hypervisors with certain unspecified hardware are vulnerable, and exploitation requires coordination of a number of factors followed by a well-timed reboot. All this after first achieving a foothold on the same network — although in this context, this likely means access to a VM on the target hypervisor, rather than some other location on the same subnet. The prize for successful exploitation is compromise of the hypervisor kernel.

MSHTML: zero-day XSS

CVE-2024-43573 is an exploited-in-the-wild spoofing vulnerability in MSHTML for which Microsoft is also aware of functional public exploit code; the advisory lists CWE-79 as the weakness, which translates to cross-site scripting (XSS). The advisory is sparse on further detail, although Windows Server 2012/2012 R2 admins who typically install Security Only updates should note that Microsoft is encouraging installation of the Monthly Rollups to ensure remediation in this case. The low CVSSv3 base score of 6.5 reflects the requirement for user interaction and the lack of impact to integrity or availability; a reasonable assumption might be that exploitation leads to improper disclosure of sensitive data, but no other direct effect on the target asset.

cURL: zero-day RCE

Microsoft is most famous for its closed source products, but has cautiously softened its stance on open source considerably in the past quarter century or so. Windows has included components of cURL for almost seven years at this point, along with various other open source components; Microsoft does patch these from time to time, although not always as quickly as defenders might like. Today’s patches for CVE-2024-6197, a publicly-disclosed RCE vulnerability in cURL, continue that trend.

The Microsoft advisory for CVE-2024-6197 clarifies that Windows does not ship libcurl, only the curl command line, but that’s still vulnerable and thus in scope for a fix. Exploitation requires that the user connect to a malicious server controlled by the attacker, and code execution is presumably in the context of the user launching the curl CLI tool on the Windows asset. The cURL project advisory for CVE-2024-6197 was originally published on 2024-07-24, and offers further detail from their perspective. Interestingly, the cURL project describes the most likely outcome of exploitation as a crash, and does not specifically mention RCE, although it is careful not to exclude the possibility of unspecified “more serious results,” which could well mean RCE. Microsoft rates this vulnerability as important, which is on track with the CVSS base score of 8.8.

Management Console: zero-day RCE

CVE-2024-43572 rounds out today’s five zero-day vulnerabilities, and describes a low-complexity, no-user-interaction RCE in Microsoft Management Console. Microsoft is aware of both public functional exploit code and in-the-wild exploitation. The vulnerability is exploited when a user downloads and opens a specially-crafted malicious Microsoft Saved Console (MSC) file, so there’s no suggestion here that the Management Console is vulnerable via network attack. Today’s patches prevent untrusted MSC files from being opened, although the advisory does not describe how Windows will know what’s trusted and what isn’t. Microsoft has chosen to map CVE-2024-43572 to CWE-70, which is a very broad category, the use of which is explicitly discouraged by MITRE.

VS Code Arduino extension: cloud critical RCE

A third critical RCE patched today is hopefully less concerning than its siblings. CVE-2024-43488 is in the Visual Studio Code extension for Arduino, and Microsoft notes that the vulnerability documented by this CVE requires no customer action to resolve. A reasonable question is: what does “no action required” really mean here? Within the advisory, Microsoft both claims to have fully mitigated the vulnerability, and also that there is no plan to fix the vulnerability. As confusing as that all sounds, perhaps the most important takeaway here is that Microsoft is now issuing cloud service CVEs in a stated effort to improve transparency. It’s not clear when the vulnerability was first introduced or when it was remediated, but nevertheless the recent expansion into a whole new class of CVEs is a welcome step by Microsoft.

SharePoint: EoP to SYSTEM

A sparse advisory for CVE-2024-43503, which is an elevation of privilege vulnerability which leads to SYSTEM. Advisories for similar vulnerabilities typically describe the specific SharePoint privileges required, but this one does not, so a reasonable assumption might be that the requirement here is simply minimal Site Member privileges.

Microsoft lifecycle update

Today sees the end of support for Windows 11 22H2 for Home, Pro, Pro Education, Pro for Workstations, and SE editions, as well as for Windows 11 21H2 for Education, Enterprise, and Enterprise multi-session editions. Server 2012 and Server 2012 R2 pass into Year 2 of ESU. Windows Embedded POSReady — the POS stands for Point-of-Sale — receives its final ESU updates today, and that might just be the last gasp for Windows 7 as a whole. As well as patching today’s critical RCE CVE-2024-43468, Intune admins still using Configuration Manager 2303 should look to upgrade to a newer version immediately, because support ends (somewhat unusually) on Thursday this week.

Summary charts

Patch Tuesday - October 2024
Patch Tuesday - October 2024
Patch Tuesday - October 2024

Summary tables

Apps vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-43604 Outlook for Android Elevation of Privilege Vulnerability No No 5.7

Azure vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-38179 Azure Stack Hyperconverged Infrastructure (HCI) Elevation of Privilege Vulnerability No No 8.8
CVE-2024-43591 Azure Command Line Integration (CLI) Elevation of Privilege Vulnerability No No 8.7
CVE-2024-38097 Azure Monitor Agent Elevation of Privilege Vulnerability No No 7.1
CVE-2024-43480 Azure Service Fabric for Linux Remote Code Execution Vulnerability No No 6.6

Browser vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-9370 Chromium: CVE-2024-9370 Inappropriate implementation in V8 No No N/A
CVE-2024-9369 Chromium: CVE-2024-9369 Insufficient data validation in Mojo No No N/A
CVE-2024-7025 Chromium: CVE-2024-7025 Integer overflow in Layout No No N/A

Developer Tools vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-43488 Visual Studio Code extension for Arduino Remote Code Execution Vulnerability No No 8.8
CVE-2024-43497 DeepSpeed Remote Code Execution Vulnerability No No 8.4
CVE-2024-38229 .NET and Visual Studio Remote Code Execution Vulnerability No No 8.1
CVE-2024-43590 Visual C++ Redistributable Installer Elevation of Privilege Vulnerability No No 7.8
CVE-2024-43483 .NET, .NET Framework, and Visual Studio Denial of Service Vulnerability No No 7.5
CVE-2024-43484 .NET, .NET Framework, and Visual Studio Denial of Service Vulnerability No No 7.5
CVE-2024-43485 .NET and Visual Studio Denial of Service Vulnerability No No 7.5
CVE-2024-43601 Visual Studio Code for Linux Remote Code Execution Vulnerability No No 7.1
CVE-2024-43603 Visual Studio Collector Service Denial of Service Vulnerability No No 5.5

ESU Windows vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-38124 Windows Netlogon Elevation of Privilege Vulnerability No No 9
CVE-2024-43518 Windows Telephony Server Remote Code Execution Vulnerability No No 8.8
CVE-2024-43608 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability No No 8.8
CVE-2024-43607 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability No No 8.8
CVE-2024-38265 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability No No 8.8
CVE-2024-43453 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability No No 8.8
CVE-2024-38212 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability No No 8.8
CVE-2024-43549 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability No No 8.8
CVE-2024-43564 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability No No 8.8
CVE-2024-43589 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability No No 8.8
CVE-2024-43592 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability No No 8.8
CVE-2024-43593 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability No No 8.8
CVE-2024-43611 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability No No 8.8
CVE-2024-43532 Remote Registry Service Elevation of Privilege Vulnerability No No 8.8
CVE-2024-43599 Remote Desktop Client Remote Code Execution Vulnerability No No 8.8
CVE-2024-43519 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability No No 8.8
CVE-2024-43517 Microsoft ActiveX Data Objects Remote Code Execution Vulnerability No No 8.8
CVE-2024-43583 Winlogon Elevation of Privilege Vulnerability No Yes 7.8
CVE-2024-38261 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability No No 7.8
CVE-2024-43514 Windows Resilient File System (ReFS) Elevation of Privilege Vulnerability No No 7.8
CVE-2024-43509 Windows Graphics Component Elevation of Privilege Vulnerability No No 7.8
CVE-2024-43556 Windows Graphics Component Elevation of Privilege Vulnerability No No 7.8
CVE-2024-43501 Windows Common Log File System Driver Elevation of Privilege Vulnerability No No 7.8
CVE-2024-43563 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability No No 7.8
CVE-2024-43560 Microsoft Windows Storage Port Driver Elevation of Privilege Vulnerability No No 7.8
CVE-2024-43572 Microsoft Management Console Remote Code Execution Vulnerability Yes Yes 7.8
CVE-2024-38262 Windows Remote Desktop Licensing Service Remote Code Execution Vulnerability No No 7.5
CVE-2024-43545 Windows Online Certificate Status Protocol (OCSP) Server Denial of Service Vulnerability No No 7.5
CVE-2024-43521 Windows Hyper-V Denial of Service Vulnerability No No 7.5
CVE-2024-43567 Windows Hyper-V Denial of Service Vulnerability No No 7.5
CVE-2024-43541 Microsoft Simple Certificate Enrollment Protocol Denial of Service Vulnerability No No 7.5
CVE-2024-43544 Microsoft Simple Certificate Enrollment Protocol Denial of Service Vulnerability No No 7.5
CVE-2024-43515 Internet Small Computer Systems Interface (iSCSI) Denial of Service Vulnerability No No 7.5
CVE-2024-43506 BranchCache Denial of Service Vulnerability No No 7.5
CVE-2024-38149 BranchCache Denial of Service Vulnerability No No 7.5
CVE-2024-43550 Windows Secure Channel Spoofing Vulnerability No No 7.4
CVE-2024-43553 NT OS Kernel Elevation of Privilege Vulnerability No No 7.4
CVE-2024-43535 Windows Kernel-Mode Driver Elevation of Privilege Vulnerability No No 7
CVE-2024-37976 Windows Resume Extensible Firmware Interface Security Feature Bypass Vulnerability No No 6.7
CVE-2024-37982 Windows Resume Extensible Firmware Interface Security Feature Bypass Vulnerability No No 6.7
CVE-2024-37983 Windows Resume Extensible Firmware Interface Security Feature Bypass Vulnerability No No 6.7
CVE-2024-37979 Windows Kernel Elevation of Privilege Vulnerability No No 6.7
CVE-2024-43512 Windows Standards-Based Storage Management Service Denial of Service Vulnerability No No 6.5
CVE-2024-43573 Windows MSHTML Platform Spoofing Vulnerability Yes Yes 6.5
CVE-2024-43547 Windows Kerberos Information Disclosure Vulnerability No No 6.5
CVE-2024-43534 Windows Graphics Component Information Disclosure Vulnerability No No 6.5
CVE-2024-43570 Windows Kernel Elevation of Privilege Vulnerability No No 6.4
CVE-2024-43513 BitLocker Security Feature Bypass Vulnerability No No 6.4
CVE-2024-43520 Windows Kernel Denial of Service Vulnerability No No 5
CVE-2024-43456 Windows Remote Desktop Services Tampering Vulnerability No No 4.8

Mariner Windows vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-6197 Open Source Curl Remote Code Execution Vulnerability No Yes 8.8

Microsoft Office vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-43503 Microsoft SharePoint Elevation of Privilege Vulnerability No No 7.8
CVE-2024-43505 Microsoft Office Visio Remote Code Execution Vulnerability No No 7.8
CVE-2024-43576 Microsoft Office Remote Code Execution Vulnerability No No 7.8
CVE-2024-43616 Microsoft Office Remote Code Execution Vulnerability No No 7.8
CVE-2024-43504 Microsoft Excel Remote Code Execution Vulnerability No No 7.8
CVE-2024-43609 Microsoft Office Spoofing Vulnerability No No 6.5

SQL Server vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-43612 Power BI Report Server Spoofing Vulnerability No No 6.9
CVE-2024-43481 Power BI Report Server Spoofing Vulnerability No No 6.5

System Center vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-43468 Microsoft Configuration Manager Remote Code Execution Vulnerability No No 9.8
CVE-2024-43614 Microsoft Defender for Endpoint for Linux Spoofing Vulnerability No No 5.5

Windows vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-43533 Remote Desktop Client Remote Code Execution Vulnerability No No 8.8
CVE-2024-43574 Microsoft Speech Application Programming Interface (SAPI) Remote Code Execution Vulnerability No No 8.3
CVE-2024-43582 Remote Desktop Protocol Server Remote Code Execution Vulnerability No No 8.1
CVE-2024-30092 Windows Hyper-V Remote Code Execution Vulnerability No No 8
CVE-2024-43551 Windows Storage Elevation of Privilege Vulnerability No No 7.8
CVE-2024-43516 Windows Secure Kernel Mode Elevation of Privilege Vulnerability No No 7.8
CVE-2024-43528 Windows Secure Kernel Mode Elevation of Privilege Vulnerability No No 7.8
CVE-2024-43527 Windows Kernel Elevation of Privilege Vulnerability No No 7.8
CVE-2024-43584 Windows Scripting Engine Security Feature Bypass Vulnerability No No 7.7
CVE-2024-43562 Windows Network Address Translation (NAT) Denial of Service Vulnerability No No 7.5
CVE-2024-43565 Windows Network Address Translation (NAT) Denial of Service Vulnerability No No 7.5
CVE-2024-38129 Windows Kerberos Elevation of Privilege Vulnerability No No 7.5
CVE-2024-43575 Windows Hyper-V Denial of Service Vulnerability No No 7.5
CVE-2024-38029 Microsoft OpenSSH for Windows Remote Code Execution Vulnerability No No 7.5
CVE-2024-43552 Windows Shell Remote Code Execution Vulnerability No No 7.3
CVE-2024-43529 Windows Print Spooler Elevation of Privilege Vulnerability No No 7.3
CVE-2024-43502 Windows Kernel Elevation of Privilege Vulnerability No No 7.1
CVE-2024-20659 Windows Hyper-V Security Feature Bypass Vulnerability No Yes 7.1
CVE-2024-43581 Microsoft OpenSSH for Windows Remote Code Execution Vulnerability No No 7.1
CVE-2024-43615 Microsoft OpenSSH for Windows Remote Code Execution Vulnerability No No 7.1
CVE-2024-43522 Windows Local Security Authority (LSA) Elevation of Privilege Vulnerability No No 7
CVE-2024-43511 Windows Kernel Elevation of Privilege Vulnerability No No 7
CVE-2024-43525 Windows Mobile Broadband Driver Remote Code Execution Vulnerability No No 6.8
CVE-2024-43526 Windows Mobile Broadband Driver Remote Code Execution Vulnerability No No 6.8
CVE-2024-43543 Windows Mobile Broadband Driver Remote Code Execution Vulnerability No No 6.8
CVE-2024-43523 Windows Mobile Broadband Driver Remote Code Execution Vulnerability No No 6.8
CVE-2024-43524 Windows Mobile Broadband Driver Remote Code Execution Vulnerability No No 6.8
CVE-2024-43536 Windows Mobile Broadband Driver Remote Code Execution Vulnerability No No 6.8
CVE-2024-43537 Windows Mobile Broadband Driver Denial of Service Vulnerability No No 6.5
CVE-2024-43538 Windows Mobile Broadband Driver Denial of Service Vulnerability No No 6.5
CVE-2024-43540 Windows Mobile Broadband Driver Denial of Service Vulnerability No No 6.5
CVE-2024-43542 Windows Mobile Broadband Driver Denial of Service Vulnerability No No 6.5
CVE-2024-43555 Windows Mobile Broadband Driver Denial of Service Vulnerability No No 6.5
CVE-2024-43557 Windows Mobile Broadband Driver Denial of Service Vulnerability No No 6.5
CVE-2024-43558 Windows Mobile Broadband Driver Denial of Service Vulnerability No No 6.5
CVE-2024-43559 Windows Mobile Broadband Driver Denial of Service Vulnerability No No 6.5
CVE-2024-43561 Windows Mobile Broadband Driver Denial of Service Vulnerability No No 6.5
CVE-2024-43546 Windows Cryptographic Information Disclosure Vulnerability No No 5.6
CVE-2024-43571 Sudo for Windows Spoofing Vulnerability No No 5.6
CVE-2024-43500 Windows Resilient File System (ReFS) Information Disclosure Vulnerability No No 5.5
CVE-2024-43554 Windows Kernel-Mode Driver Information Disclosure Vulnerability No No 5.5
CVE-2024-43508 Windows Graphics Component Information Disclosure Vulnerability No No 5.5
CVE-2024-43585 Code Integrity Guard Security Feature Bypass Vulnerability No No 5.5
Modernizing Your VM Program with Rapid7 Exposure Command: A Path to Effective Continuous Threat Exposure Management

In today’s threat landscape, where cyber-attacks are increasingly sophisticated and pervasive, organizations face the daunting challenge of securing a constantly expanding attack surface. Traditional vulnerability management (VM) programs, while necessary, are no longer sufficient on their own. They often struggle to keep pace with the dynamic nature of threats and the complexity of modern IT environments.

This is where continuous threat exposure management (CTEM) comes into play – an approach that shifts the focus from merely identifying vulnerabilities to understanding and mitigating exposures across the entire attack surface.

Implementing a continuous threat and exposure management process

CTEM is a term originally coined by Gartner, who defined it as, “a five-stage approach that continuously exposes an organization's networks, systems, and assets to simulated attacks to identify vulnerabilities and weaknesses.”

The five stages of CTEM as defined by Gartner are:

Modernizing Your VM Program with Rapid7 Exposure Command: A Path to Effective Continuous Threat Exposure Management
  • Scoping: This involves understanding the full threat landscape by incorporating tools like external attack surface management (EASM) and network scanning. However, it emphasizes the need to think in terms of business context, focusing on crown jewels, critical applications, and understanding what matters most to the organization.
  • Discovery: This stage focuses on discovering assets and profiling the associated risks. It requires visibility into both cloud and on-premises environments and extends beyond identifying vulnerabilities to include coverage gaps, misconfigurations, and other security risks.
  • Prioritization: Since not all risks can be addressed simultaneously, this phase involves prioritizing issues based on a combination of factors like severity, exploitability, and potential business impact, to determine what should be tackled first.
  • Validation: This stage emphasizes investing in tools that help validate security controls and map potential attack paths. It includes the use of breach and attack simulation (BAS) tools, continuous assessment services, controls monitoring, and attack path mapping to test the effectiveness of existing defenses.
  • Mobilization: The final stage is about taking action. It includes both automation of responses and fostering cross-organizational alignment to ensure that remediation efforts are executed effectively and in sync with business priorities.

This framework helps organizations continuously manage and reduce their exposure to threats in a way that is strategic and aligned to the business.

The role of exposure assessment platforms (EAPs) in CTEM

Exposure assessment platforms (EAPs) are essential to a successful CTEM program. They continuously identify and prioritize exposures, such as vulnerabilities and misconfigurations, across a broad range of asset classes. By consolidating and contextualizing data from various sources, EAPs provide a more comprehensive view of an organization’s risk landscape. This enables security teams to prioritize remediation efforts based on factors such as asset criticality, business impact, and the likelihood of exploitation.

Gartner's insights into EAPs underscore their importance in modern cybersecurity strategies. By delivering a centralized view of high-risk exposures, EAPs empower organizations to take decisive actions to prevent breaches. They also enhance operational efficiency by offering a unified dashboard that tracks the lifecycle of vulnerabilities and other exposures.

How Rapid7 Exposure Command supports modern vulnerability management programs

Exposure Command is designed to bridge the security-visibility gap many organizations face. By integrating the capabilities of an EAP into a comprehensive security platform, Exposure Command enables organizations to modernize their VM programs and align them with the principles of CTEM.

Exposure Command can help organizations achieve this transformation in a few ways:

  • Consolidated view of exposures from the inside out and outside in: Exposure Command provides a single, consolidated view of all assets and identified exposures from an internal and external perspective, including vulnerabilities, misconfigurations, and other risk signals. This unified view reduces the overhead associated with managing multiple tools and platforms, enabling security teams to focus on what matters most: mitigating the most critical threats.
  • Vendor-agnostic approach: As organizations adopt a CTEM approach, they require tools that can evaluate a wide range of exposure telemetry, including security control configurations. Exposure Command excels in this area by leveraging data from existing endpoint and network investments to create a more accurate, situational picture of the organization’s risk landscape. This holistic view is crucial for making informed decisions about where to focus remediation efforts.
  • Contextualized risk prioritization: Traditional VM programs often rely on CVSS scores to prioritize vulnerabilities, which can lead to misaligned efforts. Exposure Command, however, incorporates threat intelligence, asset criticality, and business impact into its risk-prioritization algorithms. This results in a more accurate and actionable understanding of which exposures pose the greatest risk to the organization.
  • Identify exploitability and potential for lateral movement: Exposure Command provides the contextual asset enrichment that enables effective threat detection, investigation, and response. The platform showcases how an attacker might exploit vulnerabilities and provides guidance on how to prevent such incidents.
  • Automated response workflows and deep ecosystem integration: One of the key benefits of Exposure Command is its ability to automate and streamline workflows. By integrating with existing security tools and platforms, Exposure Command can automatically ingest and analyze exposure data, reducing the manual effort required to maintain a VM program. This automation not only improves efficiency but also ensures security teams have access to the most up-to-date information. More and more we’re running into non-patchable systems too, and this deep integration and ability to provide bi-directional workflows enables more effective mobilization across teams, giving actionable feedback to those around the organization who have the ability to execute the necessary remediation actions.

While the benefits of Exposure Command are clear, it’s important to recognize that its effectiveness is tied to the maturity of the organization’s CTEM processes. If these processes are broken or immature, the value of Exposure Command may be limited. However, by adopting an outcome-driven approach that scopes the most critical aspects of the business and correlates asset context with dynamic risk ratings, organizations can maximize the benefits of Exposure Command.

Furthermore, the platform’s ability to integrate with a wide range of tools ensures it can enhance existing security programs, rather than requiring a complete overhaul. This makes it an ideal solution for organizations looking to modernize their VM programs and adopt a more proactive approach to threat management. As you look to strengthen your organization’s cybersecurity posture, consider how Rapid7 Exposure Command can help you bridge the security visibility gap and take a more proactive approach to managing your threat landscape.

Multiple Vulnerabilities in Common Unix Printing System (CUPS)

On Thursday, September 26, 2024, a security researcher publicly disclosed several vulnerabilities affecting different components of OpenPrinting’s CUPS (Common Unix Printing System). CUPS is a popular IPP-based open-source printing system primarily (but not only) for Linux and UNIX-like operating systems. According to the researcher, a successful exploit chain allows remote unauthenticated attackers to replace existing printers’ IPP URLs with malicious URLs, resulting in arbitrary command execution when a print job is started from the target device.

The vulnerabilities disclosed by the researcher are:

  • CVE-2024-47176: Affects cups-browsed <= 2.0.1. The service binds on UDP *:631, trusting any packet from any source to trigger a Get-Printer-Attributes IPP request to an attacker-controlled URL.
  • CVE-2024-47076: Affects libcupsfilters <= 2.1b1. cfGetPrinterAttributes5 does not validate or sanitize the IPP attributes returned from an IPP server, providing attacker-controlled data to the rest of the CUPS system.
  • CVE-2024-47175: Affects libppd <= 2.1b1. The ppdCreatePPDFromIPP2 API does not validate or sanitize the IPP attributes when writing them to a temporary PPD file, allowing the injection of attacker-controlled data in the resulting PPD.
  • CVE-2024-47177: Affects cups-filters <= 2.0.1. The foomatic-rip filter allows arbitrary command execution via the FoomaticRIPCommandLine PPD parameter.

According to the researcher’s disclosure blog, affected systems are exploitable from the public internet, or across network segments, if UDP port 631 is exposed and the vulnerable service is listening. CUPS is enabled by default on most popular Linux distributions, but exploitability may vary across implementations. As of 6 PM ET on Thursday, September 26, Red Hat has an advisory available noting that they consider this group of vulnerabilities of Important severity rather than Critical.

Mitigation guidance

We expect patches and remediation guidance to be forthcoming from affected vendors and distributions over the next few days. While the vulnerabilities are not known to be exploited in the wild at time of disclosure, technical details were leaked before the issues were released publicly, which may mean attackers and researchers have had opportunity to develop exploit code. We advise applying patches and/or mitigations as soon as they are available as a precaution, even if exploitability is more limited in some implementations.

Additional mitigation guidance:

  • Disable and remove the cups-browsed service if it is not necessary
  • Block or restrict traffic to UDP port 631

Rapid7 customers

InsightVM and Nexpose customers will be able to assess their exposure to these CVEs with authenticated checks that look for affected CUPS packages on UNIX-based systems. These checks are expected to be released in a second content release this evening (ETA 10 PM ET on Thursday, September 26).

We expect to update with additional checks in the coming days as vendors release fixes and more information.

High-risk vulnerabilities in common enterprise technologies

Rapid7 is warning customers about several high-risk vulnerabilities in common enterprise technologies that are attractive potential attack targets for both state-sponsored and financially motivated adversaries. We are advising customers to prioritize remediation for these issues on an expedited basis wherever possible:

  • CVE-2024-41874: Critical remote code execution vulnerability in Adobe ColdFusion
  • CVE-2024-38812, CVE-2024-38813: Remote code execution and privilege escalation vulnerabilities (respectively) in Broadcom VMware vCenter Server and Cloud Foundation
  • CVE-2024-29847: Critical remote code execution (via deserialization) vulnerability in Ivanti Endpoint Manager (EPM)

Adobe ColdFusion CVE-2024-41874

On September 10, 2024, Adobe published a critical advisory for CVE-2024-41874, an unauthenticated remote code execution issue that occurs as a result of unsafe Web Distributed Data eXchange (“Wddx”) packet deserialization. Rapid7 MDR has previously observed exploitation that targets Wddx for remote code execution; we have also previously observed exploitation of multiple other ColdFusion CVEs.

Affected products and mitigation: Adobe ColdFusion 2023 (update 9 and earlier) and Adobe ColdFusion 2021 (update 15 and earlier) are vulnerable to CVE-2024-41874. The vulnerability is resolved in versions 10 and 16, respectively. For more information, see the vendor advisory.

Broadcom VMware vCenter Server CVEs

On September 17, 2024, Broadcom published an advisory on CVE-2024-38812, a critical heap overflow vulnerability affecting VMware vCenter Server. Successful exploitation of CVE-2024-38812 allows an attacker with network access to the vulnerable server to execute code remotely on the target system. CVE-2024-38813, a local privilege escalation vulnerability, was also reported by the same researchers, making this a full-chain exploit. We are not aware of exploitation in the wild as of September 19, 2024, but vCenter Server is a high-value attack target for ransomware and extortion groups.

Affected products and mitigation: Broadcom VMware vCenter Server 7.0 and 8.0 are vulnerable to CVE-2024-38812 and CVE-2024-38813. Fixes are available as indicated in the vendor advisory. Broadcom also has an FAQ available.

Ivanti Endpoint Manager CVE-2024-29847

On September 10, 2024, Ivanti published a security advisory on CVE-2024-29847, an unsafe deserialization vulnerability in Ivanti Endpoint Manager (EPM) solution. Successful exploitation allows unauthenticated attackers to execute code remotely on target systems. Vulnerability details and proof-of-concept exploit code are available.

Affected products and mitigation: Ivanti Endpoint Manager (EPM) 2022 SU5 (and earlier) and EPM 2024 are vulnerable to CVE-2024-29847. Customers using EPM 2022 can remediate this and other recent vulnerabilities by updating to 2022 SU 6. Per Ivanti’s security advisory, EPM 2024 customers can apply an available security patch while waiting for 2024 SU1, which is yet to be released. See Ivanti’s advisory for the latest information.

Rapid7 customers

InsightVM and Nexpose customers can assess their exposure to Adobe ColdFusion CVE-2024-41874 and Broadcom VMware vCenter Server CVE-2024-28812 and CVE-2024-38813 with vulnerability checks released previously. A vulnerability check for Ivanti EPM CVE-2024-29847 is in development and is expected to be available in tomorrow’s (Friday, September 20) content release.

Part 1: Overview of the Problem ASM Solves and a High-Level Description of ASM and Its Components

Help, I can’t see! A Primer for Attack Surface Management blog series

Welcome to the first installment of our multipart series, "Help! I Can’t See! A Primer for Attack Surface Management Blog Series." In this series, we will explore the critical challenges and solutions associated with Attack Surface Management (ASM), a vital aspect of modern cybersecurity strategy. This initial blog, titled "Overview of the Problem ASM Solves and a High-Level Description of ASM and Its Components," sets the stage by examining the growing difficulties organizations face in managing their digital environments and how ASM can help address these issues effectively.

The fast paced evolution of digital infrastructure that is driving businesses forward (e.g. workstations, virtual machines, containers, edge) is also making it more difficult for organizations to keep track of and account for the cyber attack surface they’re responsible for protecting. Despite security teams continuing to invest exorbitant amounts of money on tools (VM, EDR, CNAPP, etc.) to both manage their digital environment and also secure it, the problem isn’t getting any better. In this 3-part blog series  we will help demystify the problems of security data silos and tool sprawl so you can answer pertinent questions like

  • How many assets and identities am I responsible for protecting?
  • How many assets and identities are lacking security controls like endpoint security or MFA?
  • What is my overall security posture?

When we look at the number and types of tools organizations spend money on to manage and secure their digital environment, we typically see things like vulnerability scanners, endpoint security, IdP, patching, IT asset management, Cloud Service Providers, and more.  Each of these tools and technologies tend to do a pretty good job at their core function but unintentionally contribute to a fractured ecosystem that provides organizations with contradictory information about their digital environment.

Help, I can’t see! A Primer for Attack Surface Management blog series

The age old problem: How many assets do I have?

Let’s look at a real-world example of this where an organization has solutions for Vulnerability Management (VM), Cloud Security Posture Management (CSPM), Endpoint Security (EDR/EPP), Active Directory (Directory Services) and IT Asset Management( ITAM).

Help, I can’t see! A Primer for Attack Surface Management blog series

None of these tools can agree on the number of assets in the environment. It’s practically  impossible to achieve 100% deployment of agent-based tools across your business (some types of assets cannot have agents!). It then becomes a real challenge to see across these tooling visibility gaps. The result is that we cannot answer the basic question of “How many assets am I responsible for protecting”.

This fact is compounded because if we can’t agree on the total number of assets, then we don’t know the number of controls in place, the number of vulnerabilities and exposures that exist, and the number of active threats in our environment. Teams that manage and secure organizations are relying upon incorrect information in an environment where prioritization and decision making needs to be based on high-fidelity information that incorporates IT, security, and business context to lead to the best outcomes.

To drill down on  these points, let’s pick on a few tools from the infographic for illustrative purposes. Wiz will only see assets in the cloud, Active Directory only sees assets (mostly Windows) tied to the Domain Controller, and traditional vulnerability scanners see across hybrid environments but tend to be mostly deployed on-premise. If you hone in on the numbers in the Asset column you will immediately notice that none of these tools agree on the number of assets in the environment. Lacking visibility and confidence in your attack surface is a big data problem, and deploying the latest shiny security tool is not going to fix it.

Ultimately, we have an industry created data problem that Rapid7 is not immune to. For a number of perfectly good reasons, we have created a fractured technology ecosystem that is preventing security teams from having the best data available to determine their cyber risk and enabling them to prioritize the most effective remediation and response.

We need to see across the gaps that truly matter; for that we need Attack Surface Management.

What is Attack Surface Management?

Attack Surface Management (ASM) is generally part of a wider Exposure Management program and  is a different way to think about cyber risk by focusing on addressing the digital parts of the business that are most vulnerable to attack. Taking an attack surface-based approach to your security program needs to consider a number of different elements including:

  • Discovery and inventory of all cyber assets in the organization, from the endpoint to the cloud
  • Internet-scanning to identify unknown exposures and map them to the existing asset inventory
  • High-fidelity visibility and insights into the IT, security, and business context of those assets
  • Relationship-mapping between the assets and the wider network and business infrastructure

ASM is a continuous process that is constantly assessing the state of the attack surface by uncovering new or updated assets, identifying the use of shadow IT in network or cloud use cases and prioritizing exposures based on their potential risk to the business. These elements of discovery and prioritization are foundational elements of a Continuous Threat Exposure Management (CTEM) initiative, where security teams are taking a more holistic approach to managing all types of exposures in their organizations.

A positive trend that we are currently seeing is that security teams are going back to basics and focusing on cyber asset management to first discover and understand the assets they’re responsible for protecting, along with their business function.

They gain visibility into the assets through a combination of external scanning to identify internet-facing assets which are potentially higher risk, this is known as External Attack Surface Management (EASM). A  complementary approach to cyber asset discovery  that provides greater insights into the whole cyber estate uses API-based integrations into existing IT management and security tools to ingest asset data; this is known as Cyber Asset Attack Surface Management (CAASM). Together, they provide organizations with the asset visibility they need to drive security decisions.

Put simply, you cannot secure what you can’t see. Managing the attack surface requires asset discovery and visibility, combined with rich context from all tools in the environment.

Attack Surface Management vs. Asset Inventory

There is a common confusion with customers today that they already have elements of an ASM strategy with their current approach to asset inventory. This is typically based on an asset inventory system that IT is using for asset lifecycle management. A traditional asset inventory’s view of the environment is almost entirely based on what it is able to discover on its own, and with an IT focus. These are often agent-based,  with limited integrations, so they are not able to take advantage of an organization’s wide range of tools, which impairs their value.

Many asset inventories today can only discover assets where they have a deployed agent, such as an endpoint agent or being tied to the domain controller. While these technologies are effective at making policy and configuration changes on their fleet of endpoints, they do not have a data aggregation and correlation engine that sees beyond the specific agent. Additionally, they have limited security insights and context, and are only able to provide a partial view of the attack surface, assuming that no agent has 100% coverage.

This is not the reality in most organizations, and it’s why one should not confuse Asset Inventories with Attack Surface Management, the latter being a much more effective approach to surfacing the best asset and security telemetry across your ecosystem. An Attack Surface Management solution will ingest data from an IT Asset Inventory or Management tool as one of many data sources to collate.

The next blog in this series will look at the different components of an ASM program, and how they can be leveraged to improve security hygiene and reduce cyber risk.

Help, I can’t see! A Primer for Attack Surface Management blog series

Patch Tuesday - September 2024

Microsoft is addressing 79 vulnerabilities this September 2024 Patch Tuesday. Microsoft has evidence of in-the-wild exploitation and/or public disclosure for four of the vulnerabilities published today; at time of writing, all four are listed on CISA KEV. Microsoft is also patching four critical remote code execution (RCE) vulnerabilities today. Unusually, Microsoft has not patched any browser vulnerabilities yet this month.

Servicing Stack: Windows 10 1507 rollback zero-day RCE

At first glance, the most concerning of today’s exploited-in-the-wild vulnerabilities is CVE-2024-43491, which describes a pre-auth RCE vulnerability caused by a regression in the Windows Servicing Stack that has rolled back fixes for a number of previous vulnerabilities affecting optional components.

The CVSSv3.1 base score is 9.8, which is typically not good news. However, things aren’t quite as bad as they seem: the key takeaway here is that only Windows 10, version 1507 (Windows 10 Enterprise 2015 LTSB and Windows 10 IoT Enterprise 2015 LTSB) is affected. Also, Microsoft notes that while at least some of the accidentally unpatched vulnerabilities were known to be exploited, they haven’t seen in-the-wild exploitation of CVE-2024-43491 itself, and the defect was discovered by Microsoft. All in all, while there are certainly more than a few organizations out there still running Windows 10 1507, most admins can breathe a sigh of relief on this one, and then go back to worrying about everything else.

The Servicing Stack regression described by CVE-2024-43491 was introduced in the March 2024 patches. Those nostalgic few still running Windows 10 1507 should note that patches are required for both Servicing Stack and the regular Windows OS patch released today, and must be applied in that order. Microsoft does not specify which vulnerabilities were accidentally unpatched back in March, although there is a significant list of affected optional components at the end of the FAQ, so potentially the set of vulnerabilities in play is quite long. Given time, an enthusiastic data miner could no doubt come up with a list of likely suspects.

Microsoft does also provide a high-level explanation of what went wrong: the build number of the March 2024 security patch for 1507 triggered a latent code defect in the Servicing Stack, and any optional component which was updated during this time was downgraded to the RTM version. This might sound eerily similar to the Windows OS downgrade attacks disclosed at Black Hat USA 2024 last month, but there’s not obviously any substantial connection between the two. It’s quite likely that someone at Microsoft HQ is carefully reviewing other Windows versions for similar version range-based flaws in the Servicing Stack.

Mark-of-the-Web: zero-day "LNK stomping" security feature bypass

The Mark-of-the-Web (MotW) security feature bypass CVE-2024-38217 is not only known to be exploited, but is also publicly disclosed via an extensive write-up which names the technique "LNK stomping" and highlights that exploitation will typically involve explorer.exe overwriting an existing LNK file. The write-up also links to exploit code on GitHub. Beyond that, the discoverer points to VirusTotal samples going back as far as 2018 to make the case that this has been abused for a very long time indeed.

As is generally the case with MotW bypass vulnerabilities, exploitation occurs when a user downloads and opens a specially-crafted malicious file, which could then bypass the SmartScreen Application Reputation security check and/or the legacy Windows Attachment Services security prompt.

Windows Installer: zero-day EoP

Next up in today’s foursome of exploited-in-the-wild vulnerabilities is CVE-2024-38014: an elevation of privilege vulnerability in Windows Installer. The middling CVSSv3.1 base score of 7.8 lines up with Microsoft’s severity assessment of Important rather than Critical. Exploitation grants code execution as SYSTEM, and although the attack vector is local, this might be at least slightly attractive to malware authors, since both attack complexity and privilege requirements are low, and no user interaction is required.

In this case, CWE-269: Improper Privilege Management presumably describes a means of causing the Windows Installer to be over-generous with the privileged access it requires to install software and configure the OS. All current versions of Windows receive a fix, as well as Server 2008, which Microsoft persists in patching from time to time out of the goodness of its heart, even if the end of official support was almost a year ago now.

Microsoft Publisher: zero-day macro policy bypass

It’s been a little while since we talked about Microsoft Publisher, so today’s publication of CVE-2024-38226 — a local security feature bypass for Office macro policy — gives us a chance to do that. The Preview Pane is not involved, and the description of exploit methodology in the FAQ is welcome, but somewhat unusual: an attacker must not only convince a user to download and open a malicious file, but the attacker must also be authenticated on the system itself, although the FAQ does not explain further.

Moving past those vulnerabilities which are known to be exploited or disclosed already, we see three critical RCE vulns: two in SharePoint, and one in the Windows NAT implementation.

SharePoint: two critical RCEs

Network-vector exploitation of SharePoint RCE CVE-2024-38018 requires that an attacker have Site Member permissions already, but since those aren’t exactly the crown jewels, attack complexity is low, and no user interaction is required, Microsoft very reasonably rates this as Critical on its own proprietary severity scale, and expects that exploitation is more likely.

The second SharePoint critical RCE patched this month is CVE-2024-43464, which describes a deserialization of untrusted data leading to code execution in the context of the SharePoint Server via specially-crafted API calls after uploading a malicious file; one mitigating factor is that the attacker must already have Site Owner permissions or better. This all sounds very similar to CVE-2024-30044, which Rapid7 wrote about back in May 2024.

Windows NAT: critical RCE

Rounding out this month’s critical RCE vulnerabilities is CVE-2024-38119, which describes a use after free flaw in the Windows NAT implementation. Attack vector is listed as adjacent, so an attacker would need an existing foothold on the same network as the target asset before winning a race condition, which bumps up the attack complexity to high. Even though this looks to be pre-auth RCE, Microsoft lists exploitation as less likely. For reasons unknown, Server 2012/2012 R2 does not receive a patch, although all newer supported versions of Windows do.

Exchange: nothing, still?

After a busy couple of months back in March and April 2024, it’s been all quiet on the Exchange front for quite some time, and this month extends that curiously lucky streak.

Microsoft lifecycle update

There are no significant changes to Microsoft product lifecycle during September 2024, although  anyone responsible for Azure Database for MySQL - Single Server has until the sunset date of 2024-09-16 to migrate to a supported service to avoid involuntary forced-migration and server unavailability.

As Rapid7 noted last month, Visual Studio for Mac received its last ever patches on 2024-08-31. Also on 2024-08-31, a number of legacy Azure services reached retirement, including Azure Cache for Redis on Cloud Services (Classic).

October will see significant lifecycle changes for Windows 11: release end date for the 21H2 versions of Windows 11 Enterprise and Education, as well as release end date for 22H2 versions for other Windows 11 editions. Fans of legacy software will already know that Server 2012 and 2012 R2 move into year two of the cash-for-updates Extended Security Update program in October.

Summary charts

Patch Tuesday - September 2024
Patch Tuesday - September 2024
Patch Tuesday - September 2024

Summary tables

Azure vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-38220 Azure Stack Hub Elevation of Privilege Vulnerability No No 9
CVE-2024-43469 Azure CycleCloud Remote Code Execution Vulnerability No No 8.8
CVE-2024-38194 Azure Web Apps Elevation of Privilege Vulnerability No No 8.4
CVE-2024-38216 Azure Stack Hub Elevation of Privilege Vulnerability No No 8.2
CVE-2024-43470 Azure Network Watcher VM Agent Elevation of Privilege Vulnerability No No 7.3
CVE-2024-38188 Azure Network Watcher VM Agent Elevation of Privilege Vulnerability No No 7.1

ESU vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-43475 Microsoft Windows Admin Center Information Disclosure Vulnerability No No 7.3

ESU Windows vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-43455 Windows Remote Desktop Licensing Service Spoofing Vulnerability No No 8.8
CVE-2024-38260 Windows Remote Desktop Licensing Service Remote Code Execution Vulnerability No No 8.8
CVE-2024-43461 Windows MSHTML Platform Spoofing Vulnerability No No 8.8
CVE-2024-38240 Windows Remote Access Connection Manager Elevation of Privilege Vulnerability No No 8.1
CVE-2024-30073 Windows Security Zone Mapping Security Feature Bypass Vulnerability No No 7.8
CVE-2024-38014 Windows Installer Elevation of Privilege Vulnerability Yes No 7.8
CVE-2024-38249 Windows Graphics Component Elevation of Privilege Vulnerability No No 7.8
CVE-2024-38247 Windows Graphics Component Elevation of Privilege Vulnerability No No 7.8
CVE-2024-38245 Kernel Streaming Service Driver Elevation of Privilege Vulnerability No No 7.8
CVE-2024-43467 Windows Remote Desktop Licensing Service Remote Code Execution Vulnerability No No 7.5
CVE-2024-38263 Windows Remote Desktop Licensing Service Remote Code Execution Vulnerability No No 7.5
CVE-2024-38236 DHCP Server Service Denial of Service Vulnerability No No 7.5
CVE-2024-38239 Windows Kerberos Elevation of Privilege Vulnerability No No 7.2
CVE-2024-43454 Windows Remote Desktop Licensing Service Remote Code Execution Vulnerability No No 7.1
CVE-2024-38230 Windows Standards-Based Storage Management Service Denial of Service Vulnerability No No 6.5
CVE-2024-38258 Windows Remote Desktop Licensing Service Information Disclosure Vulnerability No No 6.5
CVE-2024-38231 Windows Remote Desktop Licensing Service Denial of Service Vulnerability No No 6.5
CVE-2024-38234 Windows Networking Denial of Service Vulnerability No No 6.5
CVE-2024-43487 Windows Mark of the Web Security Feature Bypass Vulnerability No No 6.5
CVE-2024-38256 Windows Kernel-Mode Driver Information Disclosure Vulnerability No No 5.5
CVE-2024-38217 Windows Mark of the Web Security Feature Bypass Vulnerability Yes Yes 5.4

ESU Windows Microsoft Office vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-38250 Windows Graphics Component Elevation of Privilege Vulnerability No No 7.8

Microsoft Dynamics vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-38225 Microsoft Dynamics 365 Business Central Elevation of Privilege Vulnerability No No 8.8
CVE-2024-43479 Microsoft Power Automate Desktop Remote Code Execution Vulnerability No No 8.5
CVE-2024-43476 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability No No 7.6

Microsoft Office vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-38018 Microsoft SharePoint Server Remote Code Execution Vulnerability No No 8.8
CVE-2024-43463 Microsoft Office Visio Remote Code Execution Vulnerability No No 7.8
CVE-2024-43465 Microsoft Excel Elevation of Privilege Vulnerability No No 7.8
CVE-2024-43492 Microsoft AutoUpdate (MAU) Elevation of Privilege Vulnerability No No 7.8
CVE-2024-38226 Microsoft Publisher Security Feature Bypass Vulnerability Yes No 7.3
CVE-2024-43464 Microsoft SharePoint Server Remote Code Execution Vulnerability No No 7.2
CVE-2024-38227 Microsoft SharePoint Server Remote Code Execution Vulnerability No No 7.2
CVE-2024-38228 Microsoft SharePoint Server Remote Code Execution Vulnerability No No 7.2
CVE-2024-43466 Microsoft SharePoint Server Denial of Service Vulnerability No No 6.5
CVE-2024-43482 Microsoft Outlook for iOS Information Disclosure Vulnerability No No 6.5

SQL Server vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-37338 Microsoft SQL Server Native Scoring Remote Code Execution Vulnerability No No 8.8
CVE-2024-37335 Microsoft SQL Server Native Scoring Remote Code Execution Vulnerability No No 8.8
CVE-2024-37340 Microsoft SQL Server Native Scoring Remote Code Execution Vulnerability No No 8.8
CVE-2024-37339 Microsoft SQL Server Native Scoring Remote Code Execution Vulnerability No No 8.8
CVE-2024-26186 Microsoft SQL Server Native Scoring Remote Code Execution Vulnerability No No 8.8
CVE-2024-26191 Microsoft SQL Server Native Scoring Remote Code Execution Vulnerability No No 8.8
CVE-2024-37965 Microsoft SQL Server Elevation of Privilege Vulnerability No No 8.8
CVE-2024-37341 Microsoft SQL Server Elevation of Privilege Vulnerability No No 8.8
CVE-2024-37980 Microsoft SQL Server Elevation of Privilege Vulnerability No No 8.8
CVE-2024-43474 Microsoft SQL Server Information Disclosure Vulnerability No No 7.6
CVE-2024-37966 Microsoft SQL Server Native Scoring Information Disclosure Vulnerability No No 7.1
CVE-2024-37337 Microsoft SQL Server Native Scoring Information Disclosure Vulnerability No No 7.1
CVE-2024-37342 Microsoft SQL Server Native Scoring Information Disclosure Vulnerability No No 7.1

Windows vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-43491 Microsoft Windows Update Remote Code Execution Vulnerability Yes No 9.8
CVE-2024-38259 Microsoft Management Console Remote Code Execution Vulnerability No No 8.8
CVE-2024-21416 Windows TCP/IP Remote Code Execution Vulnerability No No 8.1
CVE-2024-38045 Windows TCP/IP Remote Code Execution Vulnerability No No 8.1
CVE-2024-38252 Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability No No 7.8
CVE-2024-38253 Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability No No 7.8
CVE-2024-43457 Windows Setup and Deployment Elevation of Privilege Vulnerability No No 7.8
CVE-2024-38046 PowerShell Elevation of Privilege Vulnerability No No 7.8
CVE-2024-38237 Kernel Streaming WOW Thunk Service Driver Elevation of Privilege Vulnerability No No 7.8
CVE-2024-38241 Kernel Streaming Service Driver Elevation of Privilege Vulnerability No No 7.8
CVE-2024-38242 Kernel Streaming Service Driver Elevation of Privilege Vulnerability No No 7.8
CVE-2024-38238 Kernel Streaming Service Driver Elevation of Privilege Vulnerability No No 7.8
CVE-2024-38243 Kernel Streaming Service Driver Elevation of Privilege Vulnerability No No 7.8
CVE-2024-38244 Kernel Streaming Service Driver Elevation of Privilege Vulnerability No No 7.8
CVE-2024-43458 Windows Networking Information Disclosure Vulnerability No No 7.7
CVE-2024-38232 Windows Networking Denial of Service Vulnerability No No 7.5
CVE-2024-38233 Windows Networking Denial of Service Vulnerability No No 7.5
CVE-2024-38119 Windows Network Address Translation (NAT) Remote Code Execution Vulnerability No No 7.5
CVE-2024-38257 Microsoft AllJoyn API Information Disclosure Vulnerability No No 7.5
CVE-2024-43495 Windows libarchive Remote Code Execution Vulnerability No No 7.3
CVE-2024-38248 Windows Storage Elevation of Privilege Vulnerability No No 7
CVE-2024-38246 Win32k Elevation of Privilege Vulnerability No No 7
CVE-2024-38235 Windows Hyper-V Denial of Service Vulnerability No No 6.5
CVE-2024-38254 Windows Authentication Information Disclosure Vulnerability No No 5.5
CVE-2024-40766: Critical Improper Access Control Vulnerability Affecting SonicWall Devices

On August 22, 2024, security firm SonicWall published an advisory on CVE-2024-40766, a critical improper access control vulnerability affecting SonicOS, the operating system that runs on the company’s physical and virtual firewalls. While CVE-2024-40766 was not known to be exploited in the wild at the time it was initially disclosed, the SonicWall advisory was later updated to note that “this vulnerability is potentially being exploited in the wild.”

As of September 9, 2024, Rapid7 is aware of several recent incidents (both external and Rapid7-observed) in which SonicWall SSLVPN accounts were targeted or compromised, including by ransomware groups; evidence linking CVE-2024-40766 to these incidents is still circumstantial, but given adversary interest in the software in general, Rapid7 strongly recommends remediating on an emergency basis. Vulnerabilities like CVE-2024-40766 are frequently used for initial access to victim environments.

SonicWall’s advisory indicates CVE-2024-40766 is an improper access control vulnerability “in the SonicWall SonicOS management access and SSLVPN, potentially leading to unauthorized resource access and in specific conditions, causing the firewall to crash.” The vulnerability was added to the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) list of known exploited vulnerabilities (KEV) on September 9, 2024.

Mitigation guidance

Per the vendor advisory, CVE-2024-40766 affects SonicWall Gen 5 and Gen 6 devices, as well as Gen 7 devices running SonicOS 7.0.1-5035 and older versions.

Affected versions and platforms include:

  • SOHO (Gen 5): 5.9.2.14-12o and older versions affected
  • Gen6 Firewalls: 6.5.4.14-109n and older versions affected (see the advisory for a full list of affected devices)
  • Gen7 Firewalls: SonicOS build version 7.0.1-5035 and older versions affected, but SonicWall recommends installing the latest firmware (see the advisory for a full list of affected devices)

SonicWall recommends restricting firewall management access to trusted sources and/or ensuring firewall WAN management is not accessible from the public internet. They similarly recommend that SSLVPN access is limited to trusted sources, and/or disabling SSLVPN access from the internet.

Rapid7 customers

Our InsightVM engineering team is investigating options for coverage of CVE-2024-40766. We will update this blog with further information no later than 10 AM ET on Tuesday, September 10.

Multiple Vulnerabilities in Veeam Backup & Replication

On Wednesday, September 4, 2024, backup and recovery software provider Veeam released their September security bulletin disclosing various vulnerabilities in Veeam products. One of the higher-severity vulnerabilities included in the bulletin is CVE-2024-40711, a critical unauthenticated remote code execution issue affecting Veeam’s popular Backup & Replication solution. Notably, upon initial disclosure, the Veeam advisory listed the CVSS score for CVE-2024-40711 as “high” rather than “critical” — as of Monday, September 9, however, the CVSS score is listed as 9.8, which confirms exploitation is fully unauthenticated.

Five other CVEs were also disclosed in Backup & Replication, including several that allow users who have been assigned low-privileged roles to alter multi-factor authentication (MFA) settings, achieve remote code execution as a service account, and extract sensitive data (e.g., credentials, passwords). Other vulnerabilities in the bulletin affect additional Veeam offerings — notably, there are also two critical vulnerabilities in Veeam Service Provider Console.

While CVE-2024-40711 has received attention from security media and community members, we are not aware of any known exploitation as of Monday, September 9, 2024. Veeam Backup & Replication has a large deployment footprint, however, and several previous vulnerabilities affecting the software have been exploited in the wild, including by ransomware groups. It is possible that one or more of these vulnerabilities may be used to facilitate extortion attacks. More than 20% of Rapid7 incident response cases in 2024 so far have involved Veeam being accessed or exploited in some manner, typically once an adversary has already established a foothold in the target environment.

Mitigation guidance

The following vulnerabilities affect Veeam Backup & Replication 12.1.2.172 and all earlier version 12 builds, per the vendor advisory:

  • CVE-2024-40711: Unauthenticated remote code execution (CVSS 9.8)
  • CVE-2024-40713: Allows a low-privileged user to alter MFA settings and bypass MFA (CVSS 8.8)
  • CVE-2024-40710: Covers multiple issues, per the advisory, including one that allows for remote code execution as the service account and enables extraction of saved credentials and passwords (CVSS 8.8)
  • CVE-2024-39718: Allows a low-privileged user to remotely remove files on the system with permissions equivalent to those of the service account (CVSS 8.1)
  • CVE-2024-40714: A vulnerability in TLS certificate validation allows an attacker on the same network to intercept sensitive credentials during restore operations (CVSS 8.3)
  • CVE-2024-40712: A path traversal vulnerability allows an attacker with a low-privileged account and local access to the system to perform local privilege escalation (CVSS 7.8)

Veeam Backup & Replication customers should update to the latest version of the software (12.2 build 12.2.0.334) immediately, without waiting for a regular patch cycle to occur. Unsupported software versions were not tested but, per the vendor, should be considered vulnerable.

Other CVEs in Veeam’s September 4 security bulletin affect Veeam Agent for Linux, Veeam ONE, Veeam Service Provider Console, Veeam Backup for Nutanix AHV, and Veeam Backup for Oracle Linux Virtualization Manager and Red Hat Virtualization.

Rapid7 customers

InsightVM and Nexpose customers will be able to assess their exposure to the Veeam Backup & Replication CVEs listed in this blog with vulnerability checks expected to be available in today’s (Monday, September 9) content release.