ION Advisory: September Patch Tuesday

The Microsoft September update consists of 79 patches for Microsoft products. Seven of these vulnerabilities are rated critical and 4 are being actively exploited.

Critical Vulnerabilities

With the exception of CVE-2024-43491, none of the critical vulnerabilities below have been reported as being actively exploited or publicly disclosed.

• CVE-2024-43491 – Microsoft Windows Update Remote Code Execution Vulnerability (Actively exploited)
  • This vulnerability only exists in Windows 10 Version 1507, which is no longer a supported product and ‘end of life’ from May 2017.
• CVE-2024-38216 & CVE-2024-38220 – Azure Stack Hub Elevation of Privilege Vulnerability
  • Requires user interaction for exploitation
• CVE-2024-38194 – Azure Web Apps Elevation of Privilege Vulnerability
  • This vulnerability has already been fully mitigated by Microsoft. There is no action for users of this service to take
• CVE-2024-38018 & CVE-2024-43464 – Microsoft SharePoint Server Remote Code Execution Vulnerability
  • CVE-2024-38227 & CVE-2024-38228 are related but rated ‘Important’.
  • In order for an attacker to leverage this vulnerability authentication is required and they must have Site Member permissions.
• CVE-2024-38119 – Windows Network Address Translation (NAT) Remote Code Execution Vulnerability
  • While rated critical, exploitation is not likely as an attacker will need to first gain access to the restricted network before running an attack. Additionally, this is not enabled by default

Active Exploitation

The following vulnerability has been reported as being actively exploited and publicly disclosed

• CVE-2024-38217 – Windows Mark of the Web Security Feature Bypass Vulnerability
  • This CVE is related to CVE-2024-43487, however it was not actively exploited or publicly disclosed.
  • A user must be convinced to download a malicious file by means of social engineering or phishing email to allow the attacker to interfere with the Mark of the Web functionality. This can lead to a limited loss of integrity and availability of security features such as SmartScreen Application Reputation security check and/or the legacy Windows Attachment Services security prompt.

The following vulnerabilities have been reported as being actively exploited only, but not publicly disclosed.

• CVE-2024-38226 – Microsoft Publisher Security Feature Bypass Vulnerability
  • User interaction is required to exploit. This is often achieved by means of phishing email or social engineering to convince a victim to download a malicious file. If successful, this could lead to a local attack on the victim computer.
• CVE-2024-43491 – Microsoft Windows Update Remote Code Execution Vulnerability
  • As above, This vulnerability only exists in Windows 10 Version 1507, which is no longer a supported product and has been ‘end of life’ since May 2017.
• CVE-2024-38014 – Windows Installer Elevation of Privilege Vulnerability
  • An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.

Countermeasures and Patches

• Apply patches as soon as possible, after appropriate testing.

References

Sans Report: https://isc.sans.edu/diary/31254

Patch-A-Palooza: https://patchapalooza.com/patchtuesday