Microsoft’s latest Patch Tuesday release addressed 16 critical vulnerabilities, all classified as remote code execution flaws—a stark reminder of the importance of proactive patch management.

Here's a breakdown of the vulnerabilities by category:

  • 27 Elevation of Privilege vulnerabilities
  • 30 Remote Code Execution vulnerabilities
  • 7 Information Disclosure vulnerabilities
  • 5 Denial of Service vulnerabilities
  • 1 Spoofing vulnerability

Keeping systems up to date is crucial to mitigate risks. Ensure your organisation prioritises these updates to strengthen your cyber security posture.

Two Highlighted Vulnerabilities – which Integrity360 recommend be patched immediately:

  • CVE-2024-49112 - Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability (CVSS 9,8) – Critical

With a CVSS severity score of 9.8 out of 10, an attacker could exploit this vulnerability in Windows Lightweight Directory Access Protocol (LDAP) calls to execute arbitrary code within the context of the LDAP service. Additionally, CVE-2024-49124 and CVE-2024-49127 permit an unauthenticated attacker to send a specially crafted request to a vulnerable LDAP server, potentially executing the attacker's code if they succeed in a "race condition." Although the above vulnerabilities are marked as "critical" and with high CVSS, Microsoft has determined that exploitation is "less likely."

Mitigations:

Ensure that domain controllers are configured either to not access the internet or to not allow inbound RPC from untrusted networks. While either mitigation will protect your system from this vulnerability, applying both configurations provides an effective defense-in-depth against this vulnerability.

How an attacker can exploit this vulnerability?

An unauthenticated attacker who successfully exploited this vulnerability could gain code execution through a specially crafted set of LDAP calls to execute arbitrary code within the context of the LDAP service.

 

CVE-2024-49138 - Windows Common Log File System Driver Elevation of Privilege Vulnerability (CVSS 7.8) - Important

 

CVE-2024-49138 stems from a heap-based buffer overflow vulnerability in the Windows Common Log File System (CLFS) Driver and can be exploited by attackers to elevate their privileges on the target host to SYSTEM, according to Microsoft.

No information has been released as to how the flaw is exploited in attacks, at the time of writing, more information about this vulnerability is waiting to be released.

 

Other Vulnerabilities also patched:

  • CVE-2024-49106, CVE-2024-49108, CVE-2024-49115, CVE-2024-49116, CVE-2024-49119, CVE-2024-49120, CVE-2024-49123, CVE-2024-49128 and CVE-2024-49132 | Windows Remote Desktop Services Remote Code Execution Vulnerability - Critical

CVE-2024-49106, CVE-2024-49108, CVE-2024-49115, CVE-2024-49116, CVE-2024-49119, CVE-2024-49120, CVE-2024-49123, CVE-2024-49128 and CVE-2024-49132 are RCE vulnerabilities affecting Windows Remote Desktop Services. All nine of these vulnerabilities were rated as critical and received CVSSv3 scores of 8.1. Successful exploitation is complex and requires an attacker to trigger a race condition in order to “create a use-after-free scenario” which could lead to arbitrary code execution. With a high complexity for exploitation, Microsoft assessed these vulnerabilities as “Exploitation Less Likely.”

In addition to these nine RCE’s, Microsoft addressed CVE-2024-49075, a DoS vulnerability affecting Remote Desktop Services.

 

CVE-2024-49118, CVE-2024-49122 | Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability - Critical

CVE-2024-49118 and CVE-2024-49122 are RCE vulnerabilities in Microsoft Message Queuing (MSMQ). Both were assigned a CVSSv3 score of 8.1 and are rated as critical. According to both of the Microsoft advisories, successful exploitation requires an attacker winning a race condition. Despite this requirement, Microsoft assessed CVE-2024-49122 as “Exploitation More Likely” while CVE-2024-49118 was assessed as “Exploitation Less Likely” as the winning the race condition must occur “during the execution of a specific operation that recurs in a low frequency on the target system.”

In order for a system to be vulnerable, the MSMQ service must be added and enabled. According to Microsoft, if the service is enabled on a Windows installation, a service named “Message Queueing” will be running on TCP port 1801. Tenable customers can use Plugin ID 174933 to identify systems that have this service running.

CVE-2024-49118 and CVE-2024-49122 brings the total to six RCE’s affecting MSMQ that were patched in 2024. One was addressed in the June Patch Tuesday (CVE-2024-30080) release, two addressed in the April Patch Tuesday (CVE-2024-26232, CVE-2024-26208) release and one in February's Patch Tuesday (CVE-2024-21363) release.

 

 

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation

Contact Us

 

.