Satnam Narang, senior staff research engineer at security firm Tenable, said the company had not patched any zero-day vulnerabilities exploited in the wild this month.
He added that typically, Microsoft Patch Tuesday releases skewed towards being mostly remote code execution vulnerabilities.
“In 2023, remote code execution flaws accounted for over one-third (35.1%) of all CVEs patched,” Narang noted. “However, this Patch Tuesday release was dominated by elevation of privilege flaws, accounting for nearly half of the CVEs patched (49%).”
|
|
He said Microsoft had patched CVE-2024-30089, an elevation of privilege flaw in the Microsoft Streaming Service. “Like many of the elevation of privilege flaws patched as part of Patch Tuesday, Microsoft labelled this one as ‘Exploitation More Likely’,” he added.
Narang pointed out that these types of flaws were notoriously useful for cyber criminals seeking to elevate privileges on a compromised system.
“When exploited in the wild as a zero-day, they are typically associated with more advanced persistent threat actors or as part of targeted attacks,” he elaborated.
“This vulnerability was disclosed to Microsoft by the same security researcher who disclosed CVE-2023-36802, another Microsoft Streaming Service elevation of privilege flaw, which was patched in the September 2023 Patch Tuesday.
“Curiously, that flaw was disclosed by the researcher, but it was Microsoft themselves that noted it as being exploited in the wild. Another Microsoft Streaming Service flaw was patched this month (CVE-2024-30090), but unlike CVE-2024-30089, this one is labelled as ‘Exploitation Less Likely’.”
Mike Walters, president and co-founder of patch management software vendor Action1, said Microsoft had also patched a critical vulnerability in Microsoft Message Queuing, which could permit remote code execution.
“This issue (CVE-2024-30080) stems from a Use After Free (CWE-416) flaw and is assigned a CVSS score of 9.8, indicating an extremely high severity level,” he said.
“The vulnerability is accessible through the network with low attack complexity, requires no privileges, and no user interaction, with the scope of the vulnerability remaining unchanged. However, it carries high impacts on confidentiality, integrity, and availability.
“An attacker could exploit this vulnerability by sending a specially crafted malicious MSMQ packet to a server, potentially resulting in remote code execution on that server. While no exploit code or proof-of-concept for this vulnerability has been verified, the likelihood of exploitation is considered high.
“The affected component, Windows Message Queuing Service, must be enabled for the vulnerability to be exploitable. This service can be added via the Control Panel. To check vulnerability, confirm whether the ‘Message Queuing’ service is running and if TCP port 1801 is open on the system.”
Walters said another vulnerability of note was an RCE in Microsoft Office (CVE-2024-30101). “This important vulnerability in Microsoft Office permits remote code execution and is associated with a Use After Free (CWE-416) flaw, earning a CVSS score of 7.5, which is considerably high,” he elaborated.
“It presents a network attack vector and high attack complexity, requires no privileges but necessitates user interaction. The vulnerability’s scope remains unchanged, yet it poses high impacts on confidentiality, integrity, and availability.
“An attacker could exploit this by sending a malicious email to a user with an affected version of Microsoft Outlook. To trigger the vulnerability, the user must open the email and engage in specific actions.
“While no exploit code or proof-of-concept is verified and the likelihood of exploitation is considered low, successful exploitation depends on the attacker winning a race condition. The Preview Pane is a potential attack vector, though further user interaction is needed.”
Adam Barnett, lead software engineer at security firm Rapid7, said Microsoft had issued a patch for SharePoint RCE CVE-2024-30100. “The advisory is sparing on details, and the context of code exploitation is not clear,” he noted. “The weakness is described as CWE-426: Untrusted Search Path; many (but not all) vulnerabilities associated with CWE-426 lead to elevation of privilege.”
He highlighted CVE-2023-50868, which describes a denial of service vulnerability in DNSSEC. “This vulnerability is present in the DNSSEC spec itself, and the CVE was assigned by MITRE on behalf of DNSSEC,” Barnett explained. “Microsoft’s implementation of DNSSEC is thus subject to the same attack as other implementations.
“An attacker can exhaust CPU resources on a DNSSEC-validating DNS resolver by demanding responses from a DNSSEC-signed zone, if the resolver uses NSEC3 to respond to the request. NSEC3 is designed to provide a safe way for a DNSSEC-validating DNS resolver to indicate that a requested resource does not exist.
“Under certain circumstances, the DNS resolver must perform thousands of iterations of a hash function to calculate an NSEC3 response, and this is the foundation on which this DoS exploit rests. All current versions of Windows Server receive a patch today.
“Typically, when Microsoft publishes a security advisory and describes the vulnerability as publicly disclosed, that public disclosure would have been recent. However, in the case of CVE-2023-50868, the flaw in DNSSEC was first publicly disclosed on 2024-02-13. The advisory acknowledges four academics from the German National Research Centre for Applied Cybersecurity (ATHENE), which is perhaps of interest since these same researchers are authors on a March 2024 academic paper that downplays the DoS potential of CVE-2024-50868.
“Those same researchers published another DNSSEC flaw CVE-2023-50387 (also known as KeyTrap) in January 2024, which they describe as having potentially serious implications; Microsoft patched that one at the next scheduled opportunity in February.
“The CVE-2023-50868 advisory published today does not provide further insight as to why this vulnerability wasn’t patched sooner; a reasonable assumption might be that Microsoft assesses CVE-2023-50868 as less urgent/critical than CVE-2023-50387, although both receive a rating of Important on Microsoft’s proprietary severity ranking scale. It’s also possible that Microsoft does not wish to be the only major server OS vendor without a patch.”