Microsoft’s October 2024 Patch Tuesday Addresses 117 CVEs (CVE-2024-43572, CVE-2024-43573)
2024-10-9 02:1:31 Author: www.tenable.com(查看原文) 阅读量:12 收藏

Tenable Security Response Team

A background with a blue gradient and the Tenable Research logo located in the top center of the image. Underneath, a greyish blue box contains the word "MICROSOFT" in bold text with the words "PATCH TUESDAY" underneath it. Below the box are the words "Zero-Day Vulnerabilities Exploited." This blog covers the October 2024 Patch Tuesday release which addressed 117 CVEs including two zero-day vulnerabilities that were exploited in the wild.

  1. 3Critical
  2. 113Important
  3. 1Moderate
  4. 0Low

Microsoft addresses 117 CVEs with three rated as critical and four zero-day vulnerabilities, two of which were exploited in the wild.

Microsoft patched 117 CVEs in October 2024 Patch Tuesday release, with three rated critical, 113 rated important and one rated moderate. Our counts omitted one vulnerability reported by Hackerone.

A pie chart showing the severity distribution across the Patch Tuesday CVEs patched in October 2024.

This month’s update includes patches for:

  • .NET and Visual Studio
  • .NET,.NET Framework, Visual Studio
  • Azure CLI
  • Azure Monitor
  • Azure Stack
  • BranchCache
  • Code Integrity Guard
  • DeepSpeed
  • Internet Small Computer Systems Interface (iSCSI)
  • Microsoft ActiveX
  • Microsoft Configuration Manager
  • Microsoft Defender for Endpoint
  • Microsoft Graphics Component
  • Microsoft Management Console
  • Microsoft Office
  • Microsoft Office Excel
  • Microsoft Office SharePoint
  • Microsoft Office Visio
  • Microsoft Simple Certificate Enrollment Protocol
  • Microsoft WDAC OLE DB provider for SQL
  • Microsoft Windows Speech
  • OpenSSH for Windows
  • Outlook for Android
  • Power BI
  • RPC Endpoint Mapper Service
  • Remote Desktop Client
  • Role: Windows Hyper-V
  • Service Fabric
  • Sudo for Windows
  • Visual C++ Redistributable Installer
  • Visual Studio
  • Visual Studio Code
  • Windows Ancillary Function Driver for WinSock
  • Windows BitLocker
  • Windows Common Log File System Driver
  • Windows Cryptographic Services
  • Windows EFI Partition
  • Windows Hyper-V
  • Windows Kerberos
  • Windows Kernel
  • Windows Kernel-Mode Drivers
  • Windows Local Security Authority (LSA)
  • Windows MSHTML Platform
  • Windows Mobile Broadband
  • Windows NT OS Kernel
  • Windows NTFS
  • Windows Netlogon
  • Windows Network Address Translation (NAT)
  • Windows Online Certificate Status Protocol (OCSP)
  • Windows Print Spooler Components
  • Windows Remote Desktop
  • Windows Remote Desktop Licensing Service
  • Windows Remote Desktop Services
  • Windows Resilient File System (ReFS)
  • Windows Routing and Remote Access Service (RRAS)
  • Windows Scripting
  • Windows Secure Channel
  • Windows Secure Kernel Mode
  • Windows Shell
  • Windows Standards-Based Storage Management Service
  • Windows Storage
  • Windows Storage Port Driver
  • Windows Telephony Server
  • Winlogon

A bar chart showing the count by impact of CVEs patched in the October 2024 Patch Tuesday release.

Remote code execution (RCE) vulnerabilities accounted for 35.9% of the vulnerabilities patched this month, followed by elevation of privilege (EOP) vulnerabilities at 23.9%.

CVE-2024-43572 | Microsoft Management Console Remote Code Execution Vulnerability

CVE-2024-43572 is a RCE vulnerability in Microsoft Management Console (MMC). It was assigned a CVSSv3 score of 7.8 and is rated as important. An attacker could exploit this vulnerability by convincing a vulnerable target through the use of social engineering tactics to open a specially crafted file. Successful exploitation would allow the attacker to execute arbitrary code. According to Microsoft, CVE-2024-43572 was exploited in the wild as a zero-day. This is the second month in a row that Microsoft patched a RCE vulnerability in the MMC, as Microsoft addressed CVE-2024-38259 in its September 2024 Patch Tuesday release.

As part of its patch for CVE-2024-43572, Microsoft has altered the behavior for Microsoft Saved Console (MSC) files, preventing untrusted MSC files from being opened on a system.

CVE-2024-43573 | Windows MSHTML Platform Spoofing Vulnerability

CVE-2024-43573 is a spoofing vulnerability in the Windows MSHTML Platform. It was assigned a CVSSv3 score of 6.5 and is rated as moderate. An unauthenticated, remote attacker could exploit this vulnerability by convincing a potential target to open a malicious file. According to Microsoft, CVE-2024-43573 was exploited in the wild as a zero-day.

This is the fourth zero-day vulnerability in the Windows MSHTML Platform that was exploited in the wild in 2024, which include CVE-2024-30040, a security feature bypass flaw that was patched in May 2024, CVE-2024-38112, a spoofing vulnerability that was patched in July 2024 and CVE-2024-43461, a spoofing vulnerability that was patched on September 10, 2024, though details about in-the-wild exploitation was not known until September 13, 2024. Both CVE-2024-38112 and CVE-2024-43461 were used as part of an exploit chain by an advanced persistent threat (APT) actor known as Void Banshee.

CVE-2024-20659 | Windows Hyper-V Security Feature Bypass Vulnerability

CVE-2024-20659 is a security feature bypass vulnerability in Windows Hyper-V. It was assigned a CVSSv3 score of 7.1, is rated as important and assessed as “Exploitation Less Likely” according to Microsoft’s Exploitability Index. This is likely due to the fact that there are multiple conditions that need to be met in order for exploitation to be feasible, such as a user rebooting their machine and application specific behavior among other user-required actions. Successful exploitation would allow an attacker to bypass a Virtual Machine’s Unified Extensible Firmware Interface (UEFI) on the host machine, resulting in both the hypervisor and secure kernel being compromised. According to Microsoft, CVE-2024-20659 was publicly disclosed prior to a patch being made available.

In addition to CVE-2024-20659, Microsoft also addressed three denial of service (DoS) vulnerabilities and one RCE in Windows Hyper-V:

CVE-2024-43583 | Winlogon Elevation of Privilege Vulnerability

CVE-2024-43583 is an EoP vulnerability in Winlogon. It was assigned a CVSSv3 score of 7.8 and is rated as important. A local, authenticated attacker could exploit this vulnerability to gain SYSTEM privileges. According to Microsoft, CVE-2024-43583 was publicly disclosed prior to a patch being made available.

In addition to applying the available patch for CVE-2024-43583, Microsoft recommends enabling Microsoft first-party Input Method Editor (IME) in order to thwart vulnerabilities within third-party IMEs. For more information on enabling first-party IME, please refer to the knowledge base article KB5046254.

CVE-2024-38212, CVE-2024-38261, CVE-2024-38265, CVE-2024-43453, CVE-2024-43549, CVE-2024-43564, CVE-2024-43589, CVE-2024-43592, CVE-2024-43593, CVE-2024-43607, CVE-2024-43608, CVE-2024-43611 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability

CVE-2024-38212, CVE-2024-38261, CVE-2024-38265, CVE-2024-43453, CVE-2024-43549, CVE-2024-43564, CVE-2024-43589, CVE-2024-43592, CVE-2024-43593, CVE-2024-43607, CVE-2024-43608 and CVE-2024-43611 are a series of RCE vulnerabilities in Windows Routing and Remote Access Service (RRAS) accounting for 10% of the vulnerabilities in the October Microsoft Patch Tuesday update. All 12 of these vulnerabilities share a common CVSSv3 score of 8.8 with the exception of CVE-2024-38261 which was assigned a score of 7.8. Each of these vulnerabilities are rated by Microsoft as “Exploitation Less Likely” and share similar attack paths based on Microsoft's descriptions of the vulnerabilities. An attacker with no authentication could leverage this vulnerability by targeting a vulnerable server with a specially crafted protocol message or tricking a user to submit a request to a malicious server resulting in a malicious message being returned, which could lead to RCE on the vulnerable machine.

CVE-2024-43533 and CVE-2024-43599 | Remote Desktop Client Remote Code Execution Vulnerability

CVE-2024-43533 and CVE-2024-43599 are a pair of RCE vulnerabilities in Microsoft Remote Desktop Client, both with a CVSSv3 score of 8.8 and flagged by Microsoft as “Exploitation Less Likely.” The attack vector noted by Microsoft lists a prerequisite of an attacker first compromising a Remote Desktop Server. Once compromised, the attacker can leverage RCE against vulnerable connecting devices. As a mitigating factor and part of security best practices, it is suggested that the Remote Desktop service should be disabled if not needed. Microsoft’s advisory further explains that disabling unused services can help reduce exposure.

CVE-2024-43468 | Microsoft Configuration Manager Remote Code Execution Vulnerability

CVE-2024-43468 is a RCE in Microsoft Configuration Manager listed as “Exploitation Less Likely” by Micorosft despite having a critical CVSSv3 score of 9.8, the highest in October's Patch Tuesday update. An attacker can leverage this vulnerability without prior authentication by sending a specially crafted request to a vulnerable machine resulting in RCE on the machine or its underlying database.

Microsoft has advised impacted users to install an in-console update as the only mitigation path, but has listed a workaround for users who cannot immediately implement the updates. The workaround suggested by Microsoft is to use an alternate service account for the Management point connection account in place of the default “Computer” account.

CVE-2024-38124 | Windows Netlogon Elevation of Privilege Vulnerability

CVE-2024-38124 is a EoP vulnerability in Windows Netlogon assessed as “Exploitation Less Likely” with a CVSSv3 score of 9, the second highest in the October Patch Tuesday update. An attacker would need authenticated access to the same network as a vulnerable device and rename their machine to match the domain controller in order to establish a secure channel. If these prerequisites are met, the attacker would then need to rename their machine back to its original name and “once the new domain controller is promoted, the attacker could use the secure channel to impersonate the domain controller and potentially compromise the entire domain.”

There are no workarounds listed for this vulnerability, but if immediate patching is not an option, Microsoft has listed a handful of mitigating factors to consider:

  • Avoid using predictable naming conventions on Domain Controllers
  • Ensure Secure Channel validation requires more than just a matching computer name.
  • Monitoring for the renaming of computers within the network.
  • Consider enhanced authentication mechanisms.

Tenable Solutions

A list of all the plugins released for Microsoft’s October 2024 Patch Tuesday update can be found here. As always, we recommend patching systems as soon as possible and regularly scanning your environment to identify those systems yet to be patched.

For more specific guidance on best practices for vulnerability assessments, please refer to our blog post on How to Perform Efficient Vulnerability Assessments with Tenable.

Get more information

Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Tenable Security Response Team

Tenable Security Response Team

The Tenable Security Response Team (SRT) tracks threat and vulnerability intelligence feeds to ensure our research teams can deliver sensor coverage to our products as quickly as possible. The SRT also works to analyze and assess technical details and writes white papers, blogs and additional communications to ensure stakeholders are fully informed of the latest risks and threats. The SRT provides breakdowns for the latest vulnerabilities on the Tenable blog.

Related Articles

  • Exposure Management
  • Vulnerability Management

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose your subscription option:

Thank You

Thank you for your interest in Tenable Vulnerability Management. A representative will be in touch soon.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose your subscription option:

Thank you

Thank you for your interest in Tenable.io. A representative will be in touch soon.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose your subscription option:

Thank you

Thank you for your interest in Tenable Vulnerability Management. A representative will be in touch soon.

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a sales representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Thank you

Thank you for your interest in Tenable Lumin. A representative will be in touch soon.

Request a demo of Tenable Security Center

Please fill out this form with your contact information.

A sales representative will contact you shortly to schedule a demo.

* Field is required

Request a demo of Tenable OT Security

Get the Operational Technology security you need.

Reduce the risk you don’t.

Request a demo of Tenable Identity Exposure

Continuously detect and respond to Active Directory attacks. No agents. No privileges.

On-prem and in the cloud.

Request a demo of Tenable Cloud Security


Exceptional unified cloud security awaits you!


We’ll show you exactly how Tenable Cloud Security helps you deliver multi-cloud asset discovery, prioritized risk assessments and automated compliance/audit reports.

See
Tenable One
in action

Exposure management for the modern attack surface.

See Tenable Attack Surface Management in action

Know the exposure of every asset on any platform.

Get a demo of Tenable Enclave Security

Please fill out the form with your contact information and a sales representative will contact you shortly to schedule a demo.

Thank You

Thank you for your interest in Tenable Enclave Security. A representative will be in touch soon.

Try Tenable Nessus Professional free

Free for 7 days

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
now available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Try Tenable Nessus Expert free

Free for 7 days.

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Learn How Tenable Helps Achieve SLCGP Cybersecurity Plan Requirements

Tenable solutions help fulfill all SLCGP requirements. Connect with a Tenable representative to learn more.


文章来源: https://www.tenable.com/blog/microsoft-october-2024-patch-tuesday-addresses-117-cves-cve-2024-43572-cve-2024-43573
如有侵权请联系:admin#unsafe.sh