Patch Tuesday round-up, September 2024

Microsoft is addressing 79 vulnerabilities this September 2024 Patch Tuesday.

Microsoft has evidence of in-the-wild exploitation and/or public disclosure for four of the vulnerabilities published today (11 September); at the time of writing, all four are listed on CISA KEV. Microsoft is also patching four critical remote code execution (RCE) vulnerabilities today. Unusually, Microsoft has not patched any browser vulnerabilities yet this month.

At first glance, the most concerning of today’s exploited-in-the-wild vulnerabilities is CVE-2024-43491, which describes a pre-auth RCE vulnerability caused by a regression in the Windows Servicing Stack that has rolled back fixes for a number of previous vulnerabilities affecting optional components. The CVSSv3.1 base score is 9.8, which is typically not good news. However, things aren’t quite as bad as they seem: the key takeaway here is that only Windows 10 version 1507 (Windows 10 Enterprise 2015 LTSB and Windows 10 IoT Enterprise 2015 LTSB) is affected. Also, Microsoft notes that while at least some of the accidentally unpatched vulnerabilities were known to be exploited, they haven’t seen in-the-wild exploitation of CVE-2024-43491 itself, and the defect was discovered by Microsoft. All in all, while there are certainly more than a few organisations out there still running Windows 10 version 1507, most admins can breathe a sigh of relief on this one and then go back to worrying about everything else.

The Servicing Stack regression described by CVE-2024-43491 was introduced in the March 2024 patches. Those nostalgic few still running Windows 10 version 1507 should note that patches are required for both Servicing Stack and the regular Windows OS patch released today and must be applied in that order. Microsoft does not specify which vulnerabilities were accidentally unpatched back in March, although there is a significant list of affected optional components at the end of the FAQ, so potentially, the set of vulnerabilities in play is quite long. Given time, an enthusiastic data miner could no doubt come up with a list of likely suspects. Microsoft also provided a high-level explanation of what went wrong: the build number of the March 2024 security patch for 1507 triggered a latent code defect in the Servicing Stack, and any optional component that was updated during this time was downgraded to the RTM version. This might sound eerily similar to the Windows OS downgrade attacks disclosed at Black Hat USA 2024 last month, but there’s not obviously any substantial connection between the two. It’s quite likely that someone at Microsoft HQ is carefully reviewing other Windows versions for similar version range-based flaws in the Servicing Stack.

The Mark-of-the-Web (MotW) security feature bypass CVE-2024-38217 is not only known to be exploited but is also publicly disclosed via an extensive write-up, with exploit code also available on GitHub. Beyond that, the discoverer points to VirusTotal samples going back as far as 2018 to make the case that this has been abused for a very long time indeed. As is generally the case with MotW bypass vulnerabilities, exploitation occurs when a user downloads and opens a specially crafted malicious file, which could then bypass the SmartScreen Application Reputation security check and/or the legacy Windows Attachment Services security prompt.

Next up in today’s foursome of exploited-in-the-wild vulnerabilities is CVE-2024-38014: an elevation of privilege vulnerability in Windows Installer. The middling CVSSv3.1 base score of 7.8 lines up with Microsoft’s severity assessment of important rather than critical. Exploitation grants code execution as SYSTEM, and although the attack vector is local, this might be at least slightly attractive to malware authors since both attack complexity and privilege requirements are low, and no user interaction is required. In this case, CWE-269: Improper Privilege Management presumably describes a means of causing the Windows Installer to be over-generous with the privileged access it requires to install software and configure the OS. All current versions of Windows receive a fix, as well as Server 2008, which Microsoft persists in patching from time to time out of the goodness of its heart, even if the end of official support was almost a year ago now.

It’s been a little while since we talked about Microsoft Publisher, so today’s publication of CVE-2024-38226 – a local security feature bypass for Office macro policy – gives us a chance to do that. The Preview Pane is not involved, and the description of exploit methodology in the FAQ is welcome, but somewhat unusual: an attacker must not only convince a user to download and open a malicious file, but the attacker must also be authenticated on the system itself, although the FAQ does not explain further.

Moving past those vulnerabilities that are known to be exploited or disclosed already, we see three critical RCE vulnerabilities: two in SharePoint and one in the Windows NAT implementation.

VIEW ALL

Network-vector exploitation of SharePoint RCE CVE-2024-38018 requires that an attacker have Site Member permissions already, but since those aren’t exactly the crown jewels, attack complexity is low, and no user interaction is required, Microsoft very reasonably rates this as critical on its own proprietary severity scale, and expects that exploitation is more likely.

The second SharePoint critical RCE patched this month is CVE-2024-43464, which describes a deserialisation of untrusted data leading to code execution in the context of the SharePoint Server via specially crafted API calls after uploading a malicious file; one mitigating factor is that the attacker must already have Site Owner permissions or better. This all sounds very similar to CVE-2024-30044, which Rapid7 wrote about back in May 2024.

Rounding out this month’s critical RCE vulnerabilities is CVE-2024-38119, which describes a use-after-free flaw in the Windows NAT implementation. Attack vector is listed as adjacent, so an attacker would need an existing foothold on the same network as the target asset before winning a race condition, which bumps up the attack complexity to high. Even though this looks to be pre-auth RCE, Microsoft lists exploitation as less likely. For reasons unknown, Server 2012/2012 R2 does not receive a patch, although all newer supported versions of Windows do.

After a busy couple of months back in March and April 2024, it’s been all quiet on the Exchange front for quite some time, and this month extends that curiously lucky streak.

There are no significant changes to Microsoft product life cycle during September 2024, although anyone responsible for Azure Database for MySQL - Single Server has until the sunset date of 16 September 2024 to migrate to a supported service to avoid involuntary forced migration and server unavailability. As Rapid7 noted last month, Visual Studio for Mac received its last-ever patches on 31 August 2024. Also, on 31 August 2024, a number of legacy Azure services reached retirement, including Azure Cache for Redis on Cloud Services (Classic). October will see significant life cycle changes for Windows 11: release end date for the 21H2 versions of Windows 11 Enterprise and Education, as well as release end date for 22H2 versions for other Windows 11 editions. Fans of legacy software will already know that Server 2012 and 2012 R2 move into year two of the cash-for-updates Extended Security Update program in October.