Vulnerability Management – Page 4 – CyberSecurity Confabulation

Patch Tuesday – May 2024

Posted 10 months ago by Adam Barnett

Microsoft is addressing 61 vulnerabilities this May 2024 Patch Tuesday. Microsoft has evidence of in-the-wild exploitation and/or public disclosure for three of the vulnerabilities published today. At time of writing, two of the vulnerabilities patched today are listed on CISA KEV. Microsoft is also patching a single critical remote code execution (RCE) vulnerability today. Six browser vulnerabilities were published separately this month, and are not included in the total.

Windows DWM: zero-day EoP

The first of today’s zero-day vulnerabilities is CVE-2024-30051, an elevation of privilege (EoP) vulnerability in the Windows Desktop Windows Manager (DWM) Core Library which is listed on the CISA KEV list. Successful exploitation grants SYSTEM privileges. First introduced as part of Windows Vista, DWM is responsible for drawing everything on the display of a Windows system.

Reporters Securelist have linked exploitation of CVE-2024-30051 with deployment of QakBot malware, and the vulnerability while investigating a partial proof-of-concept contained within an unusual file originally submitted to VirusTotal by an unknown party. Securelist further notes that the exploitation method for CVE-2024-30051 is identical to a previous DWM zero-day vulnerability CVE-2023-36033, which Microsoft patched back in November 2023.

Courtesy of Microsoft’s recent enhancement of their security advisories to include Common Weakness Enumeration (CWE) data, the mechanism of exploitation is listed as CVE-122: Heap-based Buffer Overflow, which is just the sort of defect which recent US federal government calls for memory safe software development are designed to address.

MSHTML: zero-day security feature bypass

The Windows MSHTML platform receives a patch for CVE-2024-30040, a security feature bypass vulnerability for which Microsoft has evidence of exploitation in the wild, and which CISA has also listed on KEV.

The advisory states that an attacker would have to convince a user to open a malicious file; successful exploitation bypasses COM/OLE protections in Microsoft 365 and Microsoft Office to achieve code execution in the context of the user.

As Rapid7 has previously noted, MSHTML (also known as Trident) is still fully present in Windows — and unpatched assets are thus vulnerable to CVE-2024-30040 — regardless of whether or not a Windows asset has Internet Explorer 11 fully disabled.

Visual Studio: zero-day DoS

Rounding out today’s trio of zero-day vulnerabilities: a denial of service (DoS) vulnerability in Visual Studio.

Microsoft describes CVE-2024-30046 as requiring a highly complex attack to win a race condition through “[the investment of] time in repeated exploitation attempts through sending constant or intermittent data”. Since all data sent anywhere is transmitted either constantly or intermittently, and the rest of the advisory is short on detail, the potential impact of exploitation remains unclear.

Only Visual Studio 2022 receives an update, so older supported versions of Visual Studio are presumably unaffected.

SharePoint: critical post-auth RCE

SharePoint admins are no strangers to patches for critical RCE vulnerabilities. CVE-2024-30044 allows an authenticated attacker with Site Owner permissions or higher to achieve code execution in the context of SharePoint Server via upload of a specially crafted file, followed by specific API calls to trigger deserialization of the file’s parameters.

Microsoft considers exploitation of CVE-2024-30044 more likely, and the low attack complexity and network attack contribute to a relatively high CVSS 3.1 base score of 8.8. The advisory also lists the privileges required vector component as low, which is debatable given the Site Owner authentication requirement for exploitation.

Microsoft has previously published an accessible introduction to deserialization vulnerabilities and the risks of assuming data to be trustworthy, aimed at .NET developers.

Excel: arbitrary code execution

Microsoft Excel receives a patch for CVE-2024-30042. Successful exploitation requires that an attacker convince the user to open a malicious file, which leads to code execution, presumably in the context of the user.

Remote Access Connection Manager: last month’s vulns repatched

Also of interest today: Microsoft is releasing updated patches for three Windows Remote Access Connection Manager information disclosure vulnerabilities originally published in April 2024: CVE-2024-26207, CVE-2024-26217, and CVE-2024-28902. Microsoft states that an unspecified regression introduced by the April patches is resolved by installation of the May patches.

Mobile Broadband driver: 11 local USB RCEs

The Windows Mobile Broadband driver receives patches for no fewer than 11 vulnerabilities; for example, CVE-2024-29997. All 11 vulnerabilities appear very similar based on the advisories. In each case, the relatively low CVSS base score of 6.8 reflects that an attacker must be physically present and insert a malicious USB device into the target host.

Third-party open source patches

Back in 2021, Microsoft started publishing the Assigning CNA (CVE Numbering Authority) field on advisories. A welcome trend of publishing advisories for third-party software included in Microsoft products continues this month with two vulnerabilities in MinGit patched as part of the May 2024 Windows security updates. MinGit is published by GitHub and consumed by Visual Studio. CVE-2024-32002 describes a RCE vulnerability on case-insensitive filesystems that support symlinks — macOS APFS comes to mind — and CVE-2024-32004 describes RCE while cloning specially-crafted local repositories.

Lifecycle update

There are no significant changes to the lifecycle phase of Microsoft products this month.

Summary Charts

Summary Tables

Apps vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2024-30059	Microsoft Intune for Android Mobile Application Management Tampering Vulnerability	No	No	6.1
CVE-2024-30041	Microsoft Bing Search Spoofing Vulnerability	No	No	5.4

Azure vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2024-30053	Azure Migrate Cross-Site Scripting Vulnerability	No	No	6.5

Browser vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2024-30055	Microsoft Edge (Chromium-based) Spoofing Vulnerability	No	No	5.4
CVE-2024-4671	Chromium: CVE-2024-4671 Use after free in Visuals	No	No	N/A
CVE-2024-4559	Chromium: CVE-2024-4559 Heap buffer overflow in WebAudio	No	No	N/A
CVE-2024-4558	Chromium: CVE-2024-4558 Use after free in ANGLE	No	No	N/A
CVE-2024-4368	Chromium: CVE-2024-4368 Use after free in Dawn	No	No	N/A
CVE-2024-4331	Chromium: CVE-2024-4331 Use after free in Picture In Picture	No	No	N/A

Developer Tools vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2024-32002	CVE-2024-32002 Recursive clones on case-insensitive filesystems that support symlinks are susceptible to Remote Code Execution	No	No	9
CVE-2024-32004	GitHub: CVE-2024-32004 Remote Code Execution while cloning special-crafted local repositories	No	No	8.1
CVE-2024-30045	.NET and Visual Studio Remote Code Execution Vulnerability	No	No	6.3
CVE-2024-30046	Visual Studio Denial of Service Vulnerability	No	Yes	5.9

ESU vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2024-30030	Win32k Elevation of Privilege Vulnerability	No	No	7.8

ESU Windows vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2024-30009	Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability	No	No	8.8
CVE-2024-30010	Windows Hyper-V Remote Code Execution Vulnerability	No	No	8.8
CVE-2024-30006	Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability	No	No	8.8
CVE-2024-30020	Windows Cryptographic Services Remote Code Execution Vulnerability	No	No	8.1
CVE-2024-30049	Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability	No	No	7.8
CVE-2024-29996	Windows Common Log File System Driver Elevation of Privilege Vulnerability	No	No	7.8
CVE-2024-30025	Windows Common Log File System Driver Elevation of Privilege Vulnerability	No	No	7.8
CVE-2024-30031	Windows CNG Key Isolation Service Elevation of Privilege Vulnerability	No	No	7.8
CVE-2024-30028	Win32k Elevation of Privilege Vulnerability	No	No	7.8
CVE-2024-30038	Win32k Elevation of Privilege Vulnerability	No	No	7.8
CVE-2024-30027	NTFS Elevation of Privilege Vulnerability	No	No	7.8
CVE-2024-30014	Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability	No	No	7.5
CVE-2024-30015	Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability	No	No	7.5
CVE-2024-30022	Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability	No	No	7.5
CVE-2024-30023	Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability	No	No	7.5
CVE-2024-30024	Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability	No	No	7.5
CVE-2024-30029	Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability	No	No	7.5
CVE-2024-30037	Windows Common Log File System Driver Elevation of Privilege Vulnerability	No	No	7.5
CVE-2024-30011	Windows Hyper-V Denial of Service Vulnerability	No	No	6.5
CVE-2024-30036	Windows Deployment Services Information Disclosure Vulnerability	No	No	6.5
CVE-2024-30019	DHCP Server Service Denial of Service Vulnerability	No	No	6.5
CVE-2024-30039	Windows Remote Access Connection Manager Information Disclosure Vulnerability	No	No	5.5
CVE-2024-30016	Windows Cryptographic Services Information Disclosure Vulnerability	No	No	5.5
CVE-2024-30050	Windows Mark of the Web Security Feature Bypass Vulnerability	No	No	5.4

Microsoft Dynamics vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2024-30047	Dynamics 365 Customer Insights Spoofing Vulnerability	No	No	7.6
CVE-2024-30048	Dynamics 365 Customer Insights Spoofing Vulnerability	No	No	7.6

Microsoft Office vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2024-30044	Microsoft SharePoint Server Remote Code Execution Vulnerability	No	No	8.8
CVE-2024-30042	Microsoft Excel Remote Code Execution Vulnerability	No	No	7.8
CVE-2024-30043	Microsoft SharePoint Server Information Disclosure Vulnerability	No	No	6.5

SQL Server vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2024-30054	Microsoft Power BI Client JavaScript SDK Information Disclosure Vulnerability	No	No	6.5

Windows vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2024-30040	Windows MSHTML Platform Security Feature Bypass Vulnerability	Yes	No	8.8
CVE-2024-30017	Windows Hyper-V Remote Code Execution Vulnerability	No	No	8.8
CVE-2024-30007	Microsoft Brokering File System Elevation of Privilege Vulnerability	No	No	8.8
CVE-2024-30018	Windows Kernel Elevation of Privilege Vulnerability	No	No	7.8
CVE-2024-30051	Windows DWM Core Library Elevation of Privilege Vulnerability	Yes	Yes	7.8
CVE-2024-30032	Windows DWM Core Library Elevation of Privilege Vulnerability	No	No	7.8
CVE-2024-30035	Windows DWM Core Library Elevation of Privilege Vulnerability	No	No	7.8
CVE-2024-29994	Microsoft Windows SCSI Class System File Elevation of Privilege Vulnerability	No	No	7.8
CVE-2024-26238	Microsoft PLUGScheduler Scheduled Task Elevation of Privilege Vulnerability	No	No	7.8
CVE-2024-30033	Windows Search Service Elevation of Privilege Vulnerability	No	No	7
CVE-2024-29997	Windows Mobile Broadband Driver Remote Code Execution Vulnerability	No	No	6.8
CVE-2024-29998	Windows Mobile Broadband Driver Remote Code Execution Vulnerability	No	No	6.8
CVE-2024-29999	Windows Mobile Broadband Driver Remote Code Execution Vulnerability	No	No	6.8
CVE-2024-30000	Windows Mobile Broadband Driver Remote Code Execution Vulnerability	No	No	6.8
CVE-2024-30001	Windows Mobile Broadband Driver Remote Code Execution Vulnerability	No	No	6.8
CVE-2024-30002	Windows Mobile Broadband Driver Remote Code Execution Vulnerability	No	No	6.8
CVE-2024-30003	Windows Mobile Broadband Driver Remote Code Execution Vulnerability	No	No	6.8
CVE-2024-30004	Windows Mobile Broadband Driver Remote Code Execution Vulnerability	No	No	6.8
CVE-2024-30005	Windows Mobile Broadband Driver Remote Code Execution Vulnerability	No	No	6.8
CVE-2024-30012	Windows Mobile Broadband Driver Remote Code Execution Vulnerability	No	No	6.8
CVE-2024-30021	Windows Mobile Broadband Driver Remote Code Execution Vulnerability	No	No	6.8
CVE-2024-30008	Windows DWM Core Library Information Disclosure Vulnerability	No	No	5.5
CVE-2024-30034	Windows Cloud Files Mini Filter Driver Information Disclosure Vulnerability	No	No	5.5

Unauthenticated CrushFTP Zero-Day Enables Complete Server Compromise

Posted 11 months ago by Caitlin Condon

On Friday, April 19, 2024, managed file transfer vendor CrushFTP released information to a private mailing list on a new zero-day vulnerability affecting versions below 10.7.1 and 11.1.0 (as well as legacy 9.x versions) across all platforms. No CVE was assigned by the vendor, but a third-party CVE Numbering Authority (CNA) assigned CVE-2024-4040 as of Monday, April 22. According to a public-facing vendor advisory, the vulnerability is ostensibly a VFS sandbox escape in CrushFTP managed file transfer software that allows “remote attackers with low privileges to read files from the filesystem outside of VFS Sandbox.”

Rapid7’s vulnerability research team analyzed CVE-2024-4040 and determined that it is fully unauthenticated and trivially exploitable; successful exploitation allows for not only arbitrary file read as root, but also authentication bypass for administrator account access and full remote code execution. Successful exploitation allows a remote, unauthenticated attacker to access and potentially exfiltrate all files stored on the CrushFTP instance.

Although the vulnerability has been formally described as an arbitrary file read, Rapid7 believes that it can be more accurately categorized as a server-side template injection (SSTI). CVE-2024-4040 was exploited in the wild as a zero-day vulnerability, per private customer communications from the vendor and a public Reddit post from security firm CrowdStrike. Using a query that looks for a specific JavaScript file in the web interface, there appear to be roughly 5,200 instances of CrushFTP exposed to the public internet.

Mitigation guidance

According to the advisory, CrushFTP versions below 11.1 are vulnerable to CVE-2024-4040. The following versions of CrushFTP are vulnerable as of April 22, 2024:

All legacy CrushFTP 9 installations
CrushFTP 10 before v10.7.1
CrushFTP 11 before v11.1.0

The vulnerability has been patched in version 11.1.0 for the 11.x version stream, and in version 10.7.1 for the 10.x version stream. The vendor advisory emphasizes the importance of updating to a fixed version of CrushFTP on an urgent basis. Rapid7 echoes this guidance, particularly given our team’s findings on the true impact of the issue, and urges organizations to apply the vendor-supplied patch on an emergency basis, without waiting for a typical patch cycle to occur.

While the vendor guidance as of April 22 says that “customers using a DMZ in front of their main CrushFTP instance are partially protected,” it’s unclear whether this is actually an effective barrier to exploitation. Out of an abundance of caution, Rapid7 advises against relying on a DMZ as a mitigation strategy.

CrushFTP customers can harden their servers against administrator-level remote code execution attacks by enabling Limited Server mode with the most restrictive configuration possible. Organizations should also use firewalls wherever possible to aggressively restrict which IP addresses are permitted to access CrushFTP services.

Rapid7 customers

A vulnerability check for InsightVM and Nexpose customers is in development and expected to be available in either today’s (Tuesday, April 23) or tomorrow's (Wednesday, April 24) content release.

CVE-2024-3400: Critical Command Injection Vulnerability in Palo Alto Networks Firewalls

Posted 11 months ago by Caitlin Condon

On Friday, April 12, Palo Alto Networks published an advisory on CVE-2024-3400, a CVSS 10 vulnerability in several versions of PAN-OS, the operating system that runs on the company’s firewalls. According to the vendor advisory, if conditions for exploitability are met, the vulnerability may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. The vulnerability is currently unpatched. Patches are expected to be available by Sunday, April 14, 2024.

Note: Palo Alto Networks customers are only vulnerable if they are using PAN-OS 10.2, PAN-OS 11.0, and/or PAN-OS 11.1 firewalls with the configurations for both GlobalProtect gateway and device telemetry enabled.

Palo Alto Networks’ advisory indicates that CVE-2024-3400 has been exploited in the wild in “a limited number of attacks.” The company has given the vulnerability their highest urgency rating.

Mitigation guidance

CVE-2024-3400 is unpatched as of Friday, April 12 and affects the following versions of PAN-OS when GlobalProtect gateway and device telemetry are enabled:

PAN-OS 11.1 (before 11.1.2-h3)
PAN-OS 11.0 (before 11.0.4-h1)
PAN-OS 10.2 (before 10.2.9-h1)

Palo Alto Networks’ Cloud NGFW and Prisma Access solutions are not affected; nor are earlier versions of PAN-OS (10.1, 10.0, 9.1, and 9.0). For additional information and the latest remediation guidance, please see Palo Alto Networks’ advisory.

The company has indicated that hotfix releases of PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, and PAN-OS 11.1.2-h3 will be released by April 14, along with hotfixes for “all later PAN-OS versions.”

Rapid7 recommends applying one of the below vendor-provided mitigations immediately:

Customers with a Threat Prevention subscription can block attacks for this vulnerability by enabling Threat ID 95187 (introduced in Applications and Threats content version 8833-8682). In addition to enabling Threat ID 95187, customers should ensure vulnerability protection has been applied to their GlobalProtect interface to prevent exploitation of this issue on their device. More information here.
Those unable to apply the Threat Prevention mitigation can mitigate by temporarily disabling device telemetry until the device is upgraded to a fixed PAN-OS version. Once upgraded, device telemetry should be re-enabled on the device.

Rapid7 customers

Authenticated vulnerability checks are expected to be available to InsightVM and Nexpose customers in today’s (Friday, April 12) content release.

Per the vendor advisory, organizations that are running vulnerable firewalls and are concerned about potential exploitation in their environments can open a support case with Palo Alto Networks to determine if their device logs match known indicators of compromise (IoCs) for this vulnerability.

Patch Tuesday – April 2024

Posted 11 months ago by Adam Barnett

Microsoft is addressing 149 vulnerabilities this April 2024 Patch Tuesday, which is significantly more than usual. For the second month in a row, Microsoft indicated that they aren’t aware of prior public disclosure or exploitation in the wild for any of the vulnerabilities patched today, which means no new additions to CISA KEV at time of writing.

Despite the large number of vulnerabilities published today, Microsoft has ranked only three as critical under its proprietary severity scale. Five browser vulnerabilities were published separately this month, and are not included in the total.

Microsoft is now including two additional data points on advisories: Common Weakness Enumeration (CWE) and Vector String Source assessments.

Defender for IoT: three critical RCEs

Microsoft Defender for IoT receives patches for three critical remote code execution (RCE) vulnerabilities. Microsoft describes Defender for IoT as an Azure-deployable agentless monitoring solution for Internet of Things (IoT) and Operational Technology (OT) devices.

The advisory for CVE-2024-21322 is light on detail, but notes that exploitation requires the attacker to have existing administrative access to the Defender for IoT web application; this limits the attacker value in isolation, although the potential for insider threat or use as part of an exploit chain remains.

CVE-2024-21323 describes an update-based attack and requires prior authentication; an attacker with the ability to control how a Defender for IoT sensor receives updates could cause the sensor device to apply a malicious update package, overwriting arbitrary files on the sensor filesystem via a path traversal weakness.

Exploitation of CVE-2024-29053 allows arbitrary file upload for any authenticated user, also via a path traversal weakness, although the advisory does not specify what the target is other than “the server”.

The Defender for IoT 24.1.3 release notes do not call out these security fixes and describe only improvements to clock drift detection and unspecified stability improvements; this omission highlights the evergreen value of timely patching.

SharePoint: XSS spoofing

SharePoint receives a patch for CVE-2024-26251, a spoofing vulnerability which abuses cross-site scripting (XSS) and affects SharePoint Server 2016, 2019, and Subscription Edition. Exploitation requires multiple conditions to be met, including but not limited to a reliance on user actions, token impersonation, and specific application configuration. On that basis, although Microsoft is in possession of mature exploit code, exploitation is rated less likely.

Excel: arbitrary file execution

Microsoft is patching a single Office vulnerability today. CVE-2024-26257 describes a RCE vulnerability in Excel; exploitation requires that the attacker convinces the user to open a specially-crafted malicious file.

Patches for Windows-based click-to-run (C2R) Office deployments and Microsoft 365 Apps for Enterprise are available immediately. Not for the first time, a patch for Office for Mac is unavailable at time of writing, and will follow at some unspecified point in the future.

SQL Server OLE DB driver: dozens of RCE

The Microsoft OLE DB Driver for SQL Server receives patches for no fewer than 38 separate RCE vulnerabilities today, which might be a record for a single component. The common theme here is that an attacker could trick a user into connecting to a malicious SQL server to achieve code execution in the context of the client.

All quiet on the Exchange front

There are no security patches for Exchange this month.

Microsoft advisory metadata: CWE and Vector String Source

The addition of CWE assessments to Microsoft security advisories helps pinpoint the generic root cause of a vulnerability; e.g., CVE-2024-21322 is assigned “CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection').” By embracing CWE taxonomy, Microsoft is moving away from its own proprietary system to describe root cause. The CWE program has recently updated its guidance on mapping CVEs to a CWE Root Cause.

Analysis of CWE trends can help developers reduce future occurrences through improved Software Development Life Cycle (SDLC) workflows and testing, as well as helping defenders understand where to direct defense-in-depth and deployment-hardening efforts for best return on investment. At time of writing, the addition of CWE assessments does not appear to be retroactive.

The Common Vulnerability Scoring System (CVSS) is a widely-used standard for evaluation of vulnerability severity, and Microsoft has helpfully provided CVSS data for each vulnerability for a long time. The CVSS vector describes the variables which comprise the overall CVSS severity score for a vulnerability. The addition of Vector String Source — typically, the entity providing the CVSS assessment on a Microsoft vulnerability will be Microsoft — provides further welcome clarity, at least for vulnerabilities where Microsoft is the CVE Numbering Authority (CNA). It may not be a coincidence that Microsoft is choosing to start explicitly describing the source of the CVSS vector during the ongoing uncertainty around the future of the NVD program.