ION Advisory: August 2024 Patch Tuesday

This Microsoft August update consists of 92 patches for Microsoft products with 9 of these vulnerabilities are rated critical, 6 being actively exploited and 3 rated important that are publicly disclosed.

Critical Vulnerabilities

The following vulnerabilities have been rated critical but have not yet been actively exploited or publicly disclosed.

• CVE-2024-38140 – Windows Reliable Multicast Transport Driver (RMCAST) Remote Code Execution Vulnerability
• CVE-2024-38063 – Windows TCP/IP Remote Code Execution Vulnerability
• CVE-2024-38109 – Azure Health Bot Elevation of Privilege Vulnerability
• CVE-2024-38206 – Microsoft Copilot Studio Information Disclosure Vulnerability
• CVE-2024-38166 – Microsoft Dynamics 365 Cross-site Scripting Vulnerability
• CVE-2022-3775 – Redhat: CVE-2022-3775 grub2 – Heap based out-of-bounds write when rendering certain Unicode sequences
• CVE-2023-40547 – Redhat: CVE-2023-40547 Shim – RCE in HTTP boot support may lead to secure boot bypass
• CVE-2024-38159 & CVE-2024-38160 – Windows Network Virtualisation Remote Code Execution Vulnerability

Noteworthy: With CVE-2024-38063 – Windows TCP/IP Remote Code Execution Vulnerability, an unauthenticated attacker could repeatedly send IPv6 packets, that include specially crafted packets, to a Windows machine which could enable remote code execution. Systems are not affected if IPv6 is disabled on the target machine

Additionally, CVE-2024-38140 – Windows Reliable Multicast Transport Driver (RMCAST) Remote Code Execution Vulnerability, An unauthenticated attacker could exploit the vulnerability by sending specially crafted packets to a Windows Pragmatic General Multicast (PGM) open socket on the server, without any interaction from the user. However, this vulnerability is exploitable only if there is a program listening on a Pragmatic General Multicast (PGM) port. If PGM is installed or enabled but no programs are actively listening as a receiver, then this vulnerability is not exploitable

Actively exploited, not publicly disclosed:

With the exception of CVE-2024-38213, the following vulnerabilities are rated as ‘Important’ based on their CVSS score.

• CVE-2024-38189 – Microsoft Project Remote Code Execution Vulnerability
  • This exploitation requires a couple of security features to be disabled before an attacker can remotely execute code on a victim’s machine. The target system has to be able to run macros downloaded from the internet, and also has the block macros from running in Office files from the internet policy disabled, and convince a victim to open a malicious file
• CVE-2024-38178 – Scripting Engine Memory Corruption Vulnerability
  • The attack complexity is high on this one, and it requires the victim to use Microsoft Edge in Internet Explorer Mode and convince a victim to click on a malicious link.
• CVE-2024-38193 – Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
  • This attack can allow a threat actor to gain SYSTEM privileges.
• CVE-2024-38106 – Windows Kernel Elevation of Privilege Vulnerability
  • Microsoft has stated “Successful exploitation of this vulnerability requires an attacker to win a race condition”, but are yet to provide further details.
• CVE-2024-38213 – Windows Mark of the Web Security Feature Bypass Vulnerability (CVSS: Moderate)
  • Allows an attacker to bypass the SmartScreen security feature. However, user interaction is required to open a malicious file
• CVE-2024-38107 – Windows Power Dependency Coordinator Elevation of Privilege Vulnerability
  • An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. No further details.

Publicly Disclosed, not actively exploited:

At the time of this publication, these vulnerabilities have not been exploited. However, as the vulnerability is publicly available it is likely this will change quickly as threat actors will take any opportunity to exploit the known bug.

• CVE-2024-38202 – Windows Update Stack Elevation of Privilege Vulnerability
• CVE-2024-21302 – Windows Secure Kernel Mode Elevation of Privilege Vulnerability
• CVE-2024-38200 – Microsoft Office Spoofing Vulnerability
  • Microsoft identified an alternative fix to this issue that was enabled via Feature Flighting on 2024/07/30. Customers are already protected on all in-support versions of Microsoft Office and Microsoft 365. Customers should still update to the August 13, 2024 updates for the final version of the fix.

Countermeasures and Patches

• Apply patches as soon as possible, after appropriate testing.

References

Sans Report: https://isc.sans.edu/diary/Microsoft%20August%202024%20Patch%20Tuesday/31164

Patch-A-Palooza: https://patchapalooza.com/patchtuesday