Image source: : Shutterstock
Microsoft’s relatively moderate severity rating for the bugs belie the threat they present
At least five of the 117 CVEs for which Microsoft released a patch this week as part of its October 2024 Patch Tuesday security update need immediate attention because attackers are already exploiting them or have known about them prior to patch availability.
The vulnerabilities under active attack:
- CVE-2024-43573, a Windows MSHTML Platform Spoofing Vulnerabilitythat affects all supported Windows versions except Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012
- CVE-2024-43572, a Microsoft Management Console (MMC) Remote Code Execution Vulnerability.
- The US Cybersecurity and Infrastructure Security Agency (CISA) had added both vulnerabilities to its known exploited vulnerabilities (KEV) catalog and given federal civilian agencies until Oct. 21 to apply Microsoft’s recommended mitigations for the vulnerabilities or to discontinue use until they apply the mitigations.
CVE-2024-43573 and the “Void Banshee” connection
Here’s what security experts have had to say about the vulnerability:
“This flaw enables malicious actors to deceive users into believing they are visiting a legitimate site, potentially capturing sensitive information such as login credentials or injecting malicious payloads.” Potential impacts include theft of login credentials and personal information, delivery of secondary payloads and erosion of user trust. Source: Action1
“This is the fourth zero-day vulnerability in the Windows MSHTML Platform that was exploited in the wild in 2024, which include CVE-2024-30040, a security feature bypass flaw that was patched in May 2024, CVE-2024-38112, a spoofing vulnerability that was patched in July 2024 and CVE-2024-43461, a spoofing vulnerability that was patched on September 10, 2024.” Both CVE-2024-38112 and CVE-2024-43461 were used as part of an exploit chain by an advanced persistent threat (APT) actor known as Void Banshee. Source: Tenable
CVE-2024-43572, the second RCE in a row in MMC
“An attacker could exploit this vulnerability by convincing a vulnerable target through the use of social engineering tactics to open a specially crafted file. Successful exploitation would allow the attacker to execute arbitrary code.” Microsoft has altered how MSC files behave to mitigate risks associated with the vulnerability Source: Tenable
“A threat actor would need to send a malicious MMC snap-in and have a user load the file. While this does sound unlikely, it’s clearly happening.” Attacks are likely going to be limited for the moment because of the social engineering involved. “Still considering the damage that could be caused by an admin loading a malicious snap-in, I would test and deploy this update quickly.” Source: Trend Micro ZDI
The publicly known but unexploited bugs:
- CVE-2024-6197 a remote code execution flaw in open-source cURL
- CVE-2024-20659 a Windows Hyper-V Security Feature Bypass Vulnerability
- CVE-2024-43583 a Winlogon Elevation of Privilege Vulnerability
CVE-2024-6197 is actually a third-party vulnerability that HackerOne disclosed in June.
“The affected systems include those using cURL or libcurl, the underlying library that powers numerous applications on diverse platforms. Although Windows does not typically ship with libcurl, it does include the cURL command line tool, which is vulnerable. On other platforms, any application that incorporates libcurl directly is at risk, underscoring the extensive reach of this vulnerability. Source: Action1
CVE-2024-20659 has only a moderate severity rating for a security bypass flaw
“This is likely due to the fact that there are multiple conditions that need to be met in order for exploitation to be feasible, such as a user rebooting their machine and application specific behavior among other user-required actions.” The flaw was publicly disclosed before patch availability.
“Successful exploitation would allow an attacker to bypass a Virtual Machine’s Unified Extensible Firmware Interface (UEFI) on the host machine, resulting in both the hypervisor and secure kernel being compromised. According to Microsoft, CVE-2024-20659 was publicly disclosed prior to a patch being made available.” Source: Tenable
CVE-2024-43583 enables SYSTEM level access
“The exploitation of this vulnerability is facilitated by weaknesses in how Winlogon interacts with Input Method Editors (IMEs), particularly when a vulnerable third-party IME is active during the login process. This issue predominantly affects systems that use third-party IMEs during the login phase.” Using a first-party IME could reduce risk by enabling safer interactions with Winlogon. Source: Action1