ION Advisory: October Patch Tuesday

The Microsoft October Patch Tuesday update consists of a larger number of fixes (117) for various Microsoft products. These resolve 3 Chromium/Edge vulnerabilities, 3 other critical rated vulnerabilities, and a further 2 vulnerabilities being actively exploited. 25 vulnerabilities being fixed are remotely exploitable, but not yet known to be exploited.

Critical Vulnerabilities

None of the following critical vulnerabilities below have been reported as being actively exploited or publicly disclosed.

• CVE-2024-43468 – Microsoft Configuration Manager Remote Code Execution Vulnerability
  • An unauthenticated attacker could exploit this vulnerability by sending specially crafted requests to the target environment which are processed in an unsafe manner.
• CVE-2024-43582 – Remote Desktop Protocol(RDP) Server Remote Code Execution Vulnerability
  • If an unauthenticated attacker sends malformed packets to a RPC host it manifests in a server-side RCE, resulting with the same permissions as the RPC service.
• CVE-2024-43488 – Visual Studio Code extension for Arduino Remote Code Execution Vulnerability (No action needed, fixed)
  • Missing authentication for critical function in Visual Studio Code extension for Arduino allows an unauthenticated attacker to perform remote code execution across the network.

Active Exploitation

The following vulnerability has been reported as being actively exploited and publicly disclosed

• CVE-2024-43572 – Microsoft Management Console(MMC) Remote Code Execution Vulnerability
  • An unauthenticated attacker could exploit this vulnerability by sending specially crafted requests to the target environment which are processed in an unsafe manner enabling the attacker to execute commands on the server and/or underlying database. The vulnerability stems from a mistake to improperly sanitize inputs. Microsoft also reported about CVE-2024-38259 being actively exploited in MMC in its September Patch Tuesday release.
• CVE-2024-43573 – Windows MSHTML Platform Spoofing Vulnerability
  • While Microsoft has announced retirement of the Internet Explorer 11 application on certain platforms and the Microsoft Edge Legacy application is deprecated, the underlying MSHTML, EdgeHTML, and scripting platforms are still supported. The MSHTML platform is used by Internet Explorer mode in Microsoft Edge as well as other applications through WebBrowser control. The EdgeHTML platform is used by WebView and some UWP applications. The scripting platforms are used by MSHTML and EdgeHTML but can also be used by other legacy applications. Updates to address vulnerabilities in the MSHTML platform and scripting engine are included in the IE Cumulative Updates; EdgeHTML and Chakra changes are not applicable to those platforms. The vulnerability impacts all versions on Windows, except Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012.

Publicly Disclosed

The following vulnerabilities have been reported as publicly disclosed, but not yet actively exploited.

• CVE-2024-20659 – Windows Hyper-V Security Feature Bypass Vulnerability
  • The improper input validation vulnerability can lead to bypassing of security controls. Successful exploitation of this vulnerability by an attacker requires a user to first reboot their machine. This Hypervisor vulnerability relates to Virtual Machines within a Unified Extensible Firmware Interface (UEFI) host machine. On some specific hardware it might be possible to bypass the UEFI, which could lead to the compromise of the hypervisor and the secure kernel. Successful exploitation of this vulnerability requires multiple conditions to be met, such as specific application behaviour, user actions, manipulation of parameters passed to a function, and impersonation of an integrity level token. Successful exploitation of this vulnerability requires that an attacker gains access to the restricted network before running an attack.
• CVE-2024-20659 – Windows Hyper-V Security Feature Bypass Vulnerability
  • This Hypervisor vulnerability relates to Virtual Machines within a Unified Extensible Firmware Interface (UEFI) host machine. On some specific hardware it might be possible to bypass the UEFI, which could lead to the compromise of the hypervisor and the secure kernel. This requires the user to reboot their machine, and for the attacker to have access to the surrounding network around the vulnerable device.
• CVE-2024-43583 – Winlogon Elevation of Privilege Vulnerability
  • An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. To address this vulnerability, ensure that a Microsoft first-party IME(Input Method Editor) is enabled on your device. By doing so, you can help protect your device from potential vulnerabilities associated with a third-party (3P) IME during the sign in process.

Notable Vulnerabilities

The following vulnerabilities were rated in the CVE system as more likely to be exploited by Microsoft:

• CVE-2024-43502: Windows Kernel privilege escalation vulnerability
• CVE-2024-43509 and CVE-2024-43556: Windows Graphics Component privilege escalation vulnerabilities
• CVE-2024-43560: Windows Storage Port privilege escalation vulnerability
• CVE-2024-43581 and CVE-2024-43615: Microsoft OpenSSH for Windows Remote code execution vulnerabilities
• CVE-2024-43609: Microsoft Office Spoofing vulnerability

Countermeasures and Patches

• Apply patches as soon as possible, after appropriate testing.

References

Sans Report: Microsoft Patch Tuesday – October 2024 – SANS Internet Storm Center

Patch-A-Palooza: PatchaPalooza