Tag Archives: Vulnerability management

Patch Tuesday – June 2024

Post Syndicated from Adam Barnett original https://blog.rapid7.com/2024/06/11/patch-tuesday-june-2024/

Patch Tuesday - June 2024

It’s June 2024 Patch Tuesday. Microsoft is addressing 51 vulnerabilities today, and has evidence of public disclosure for just a single one of those. At time of writing, none of the vulnerabilities published today are listed on CISA KEV, although this is always subject to change. Microsoft is patching a single critical remote code execution (RCE) vulnerability today. Seven browser vulnerabilities were published separately this month, and are not included in the total.

MSMQ: critical RCE

The sole critical RCE patched today is CVE-2024-30080 for all current versions of Windows. Exploitation requires that an attacker send a specially crafted malicious packet to an MSMQ server, which Patch Tuesday watchers will know as a perennial source of vulnerabilities. As usual, Microsoft points out that the Windows message queuing service is not enabled by default; as usual, Rapid7 notes that a number of applications – including Microsoft Exchange – quietly introduce MSMQ as part of their own installation routine. As is typical of MSMQ RCE vulnerabilities, CVE-2024-30080 receives a high CVSSv3 base score due to the network attack vector, low attack complexity, and lack of required privileges. Code execution is presumably in a SYSTEM context, although the advisory does not specify.

Office: malicious file RCEs

Microsoft Office receives patches for a pair of RCE-via-malicious-file vulnerabilities. CVE-2024-30101 is a vulnerability in Outlook; although the Preview Pane is a vector, the user must subsequently perform unspecified specific actions to trigger the vulnerability and the attacker must win a race condition. On the other hand, CVE-2024-30104 does not have the Preview Pane as a vector, but nevertheless ends up with a slightly higher CVSS base score of 7.8, since exploitation relies solely on the user opening a malicious file.

SharePoint: RCE

This month also brings a patch for SharePoint RCE CVE-2024-30100. The advisory is sparing on details, and the context of code exploitation is not clear. The weakness is described as CWE-426: Untrusted Search Path; many (but not all) vulnerabilities associated with CWE-426 lead to elevation of privilege.

DNSSEC NSEC3: CPU exhaustion DoS

And now for something completely different: ​​CVE-2023-50868, which describes a denial of service vulnerability in DNSSEC. This vulnerability is present in the DNSSEC spec itself, and the CVE was assigned by MITRE on behalf of DNSSEC. Microsoft’s implementation of DNSSEC is thus subject to the same attack as other implementations. An attacker can exhaust CPU resources on a DNSSEC-validating DNS resolver by demanding responses from a DNSSEC-signed zone, if the resolver uses NSEC3 to respond to the request. NSEC3 is designed to provide a safe way for a DNSSEC-validating DNS resolver to indicate that a requested resource does not exist. Under certain circumstances, the DNS resolver must perform thousands of iterations of a hash function to calculate an NSEC3 response, and this is the foundation on which this DoS exploit rests. All current versions of Windows Server receive a patch today.

Typically, when Microsoft publishes a security advisory and describes the vulnerability as publicly disclosed, that public disclosure will have been recent. However, in the case of CVE-2023-50868, the flaw in DNSSEC was first publicly disclosed on 2024-02-13. The advisory acknowledges four academics from the German National Research Centre for Applied Cybersecurity (ATHENE), which is perhaps of interest since these same researchers are authors on a March 2024 academic paper that downplays the DoS potential of CVE-2024-50868. Those same researchers published another DNSSEC flaw CVE-2023-50387 (also known as KeyTrap) in January 2024, which they describe as having potentially serious implications; Microsoft patched that one at the next scheduled opportunity in February. The CVE-2023-50868 advisory published today does not provide further insight as to why this vulnerability wasn’t patched sooner; a reasonable assumption might be that Microsoft assesses CVE-2023-50868 as less urgent/critical than CVE-2023-50387, although both receive a rating of Important on Microsoft’s proprietary severity ranking scale. It’s also possible that Microsoft does not wish to be the only major server OS vendor without a patch.

Lifecycle update

There are no significant changes to the lifecycle phase of Microsoft products this month. In July, Microsoft SQL Server 2014 will move past the end of extended support. From August onwards, Microsoft only guarantees to provide SQL Server 2014 security updates to customers who choose to participate in the paid Extended Security Updates program.

Summary Charts

Patch Tuesday - June 2024
Patch Tuesday - June 2024
What goes up must come down and/or is an attacker’s privilege level.
Patch Tuesday - June 2024
No spoofing. No security feature bypass. Plenty of elevation of privilege though.

Summary Tables

Azure vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-37325 Azure Science Virtual Machine (DSVM) Elevation of Privilege Vulnerability No No 8.1
CVE-2024-35252 Azure Storage Movement Client Library Denial of Service Vulnerability No No 7.5
CVE-2024-35254 Azure Monitor Agent Elevation of Privilege Vulnerability No No 7.1
CVE-2024-35255 Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability No No 5.5
CVE-2024-35253 Microsoft Azure File Sync Elevation of Privilege Vulnerability No No 4.4

Browser vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-5499 Chromium: CVE-2024-5499 Out of bounds write in Streams API No No N/A
CVE-2024-5498 Chromium: CVE-2024-5498 Use after free in Presentation API No No N/A
CVE-2024-5497 Chromium: CVE-2024-5497 Out of bounds memory access in Keyboard Inputs No No N/A
CVE-2024-5496 Chromium: CVE-2024-5496 Use after free in Media Session No No N/A
CVE-2024-5495 Chromium: CVE-2024-5495 Use after free in Dawn No No N/A
CVE-2024-5494 Chromium: CVE-2024-5494 Use after free in Dawn No No N/A
CVE-2024-5493 Chromium: CVE-2024-5493 Heap buffer overflow in WebRTC No No N/A

Developer Tools vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-29187 GitHub: CVE-2024-29187 WiX Burn-based bundles are vulnerable to binary hijack when run as SYSTEM No No 7.3
CVE-2024-29060 Visual Studio Elevation of Privilege Vulnerability No No 6.7
CVE-2024-30052 Visual Studio Remote Code Execution Vulnerability No No 4.7

ESU vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-30074 Windows Link Layer Topology Discovery Protocol Remote Code Execution Vulnerability No No 8
CVE-2024-30075 Windows Link Layer Topology Discovery Protocol Remote Code Execution Vulnerability No No 8

Microsoft Dynamics vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-35249 Microsoft Dynamics 365 Business Central Remote Code Execution Vulnerability No No 8.8
CVE-2024-35248 Microsoft Dynamics 365 Business Central Elevation of Privilege Vulnerability No No 7.3
CVE-2024-35263 Microsoft Dynamics 365 (On-Premises) Information Disclosure Vulnerability No No 5.7

Microsoft Office vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-30103 Microsoft Outlook Remote Code Execution Vulnerability No No 8.8
CVE-2024-30100 Microsoft SharePoint Server Remote Code Execution Vulnerability No No 7.8
CVE-2024-30104 Microsoft Office Remote Code Execution Vulnerability No No 7.8
CVE-2024-30101 Microsoft Office Remote Code Execution Vulnerability No No 7.5
CVE-2024-30102 Microsoft Office Remote Code Execution Vulnerability No No 7.3

Windows vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-30064 Windows Kernel Elevation of Privilege Vulnerability No No 8.8
CVE-2024-30068 Windows Kernel Elevation of Privilege Vulnerability No No 8.8
CVE-2024-30097 Microsoft Speech Application Programming Interface (SAPI) Remote Code Execution Vulnerability No No 8.8
CVE-2024-30085 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability No No 7.8
CVE-2024-30089 Microsoft Streaming Service Elevation of Privilege Vulnerability No No 7.8
CVE-2024-30072 Microsoft Event Trace Log File Parsing Remote Code Execution Vulnerability No No 7.8
CVE-2024-35265 Windows Perception Service Elevation of Privilege Vulnerability No No 7
CVE-2024-30088 Windows Kernel Elevation of Privilege Vulnerability No No 7
CVE-2024-30099 Windows Kernel Elevation of Privilege Vulnerability No No 7
CVE-2024-30076 Windows Container Manager Service Elevation of Privilege Vulnerability No No 6.8
CVE-2024-30096 Windows Cryptographic Services Information Disclosure Vulnerability No No 5.5
CVE-2024-30069 Windows Remote Access Connection Manager Information Disclosure Vulnerability No No 4.7

Windows ESU vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-30080 Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability No No 9.8
CVE-2024-30078 Windows Wi-Fi Driver Remote Code Execution Vulnerability No No 8.8
CVE-2024-30077 Windows OLE Remote Code Execution Vulnerability No No 8
CVE-2024-30086 Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability No No 7.8
CVE-2024-30062 Windows Standards-Based Storage Management Service Remote Code Execution Vulnerability No No 7.8
CVE-2024-30094 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability No No 7.8
CVE-2024-30095 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability No No 7.8
CVE-2024-35250 Windows Kernel-Mode Driver Elevation of Privilege Vulnerability No No 7.8
CVE-2024-30082 Win32k Elevation of Privilege Vulnerability No No 7.8
CVE-2024-30087 Win32k Elevation of Privilege Vulnerability No No 7.8
CVE-2024-30091 Win32k Elevation of Privilege Vulnerability No No 7.8
CVE-2024-30083 Windows Standards-Based Storage Management Service Denial of Service Vulnerability No No 7.5
CVE-2023-50868 MITRE: CVE-2023-50868 NSEC3 closest encloser proof can exhaust CPU No Yes 7.5
CVE-2024-30070 DHCP Server Service Denial of Service Vulnerability No No 7.5
CVE-2024-30093 Windows Storage Elevation of Privilege Vulnerability No No 7.3
CVE-2024-30084 Windows Kernel-Mode Driver Elevation of Privilege Vulnerability No No 7
CVE-2024-30090 Microsoft Streaming Service Elevation of Privilege Vulnerability No No 7
CVE-2024-30063 Windows Distributed File System (DFS) Remote Code Execution Vulnerability No No 6.7
CVE-2024-30066 Winlogon Elevation of Privilege Vulnerability No No 5.5
CVE-2024-30067 Winlogon Elevation of Privilege Vulnerability No No 5.5
CVE-2024-30065 Windows Themes Denial of Service Vulnerability No No 5.5

CVE-2024-28995: Trivially Exploitable Information Disclosure Vulnerability in SolarWinds Serv-U

Post Syndicated from Stephen Fewer original https://blog.rapid7.com/2024/06/11/etr-cve-2024-28995-trivially-exploitable-information-disclosure-vulnerability-in-solarwinds-serv-u/

CVE-2024-28995: Trivially Exploitable Information Disclosure Vulnerability in SolarWinds Serv-U

On June 5, 2024, SolarWinds disclosed CVE-2024-28995, a high-severity directory traversal vulnerability affecting their Serv-U file transfer server, which comes in two editions (Serv-U FTP and Serv-U MFT). Successful exploitation of the vulnerability allows unauthenticated attackers to read sensitive files on the target server. Rapid7’s vulnerability research team has reproduced the vulnerability and confirmed that it’s trivially exploitable and allows an external unauthenticated attacker to read any file on disk, including binary files, so long as they know the path and the file is not locked (i.e., opened exclusively by something else).

CVE-2024-28995 is not known to be exploited in the wild as of 9 AM ET on June 11. We expect this to change; Rapid7 recommends installing the vendor-provided hotfix (Serv-U 15.4.2 HF 2) immediately, without waiting for a regular patch cycle to occur.

High-severity information disclosure issues like CVE-2024-28995 can be used in smash-and-grab attacks where adversaries gain access to and attempt to quickly exfiltrate data from file transfer solutions with the goal of extorting victims. File transfer products have been targeted by a wide range of adversaries the past several years, including ransomware groups.

Internet exposure estimates for SolarWinds Serv-U vary substantially based on the query used. For example (note that exposed does not automatically mean vulnerable):

Mitigation guidance

SolarWinds Serv-U 15.4.2 HF 1 and previous versions are vulnerable to CVE-2024-28995, per the vendor advisory. The vulnerability is fixed in SolarWinds Serv-U 15.4.2 HF 2. SolarWinds Serv-U customers should apply the vendor-provided hotfix immediately.

Rapid7 customers

InsightVM and Nexpose customers can assess their exposure to CVE-2024-28995 with an unauthenticated vulnerability check available as of the Monday, June 10 content release.

The Dreaded Network Pivot: An Attack Intelligence Story

Post Syndicated from Rapid7 original https://blog.rapid7.com/2024/06/04/the-dreaded-network-pivot-an-attack-intelligence-story/

The Dreaded Network Pivot: An Attack Intelligence Story

Rapid7 recently released our 2024 Attack Intelligence Report, a 14-month deep dive into the vulnerability and attacker landscape. The spiritual successor to our annual Vulnerability Intelligence Report, the AIR includes data from the Rapid7 research team combined with our detection and response and threat intelligence teams. It is designed to provide the clearest view yet into what security professionals face day to day.

In this blog, we would like to focus on one area of research the AIR highlights: network edge technologies. In 2023 (and early 2024) Rapid7 found some startling information about the vulnerability of these critical devices. Essentially, of the mass compromise events we studied, exploitation of network edge tech increased significantly over the 14 months the report covers — something we will cover in detail shortly.

But first, some background. Way back in 2020, Rapid7 created a new attacker utility category for vulnerabilities that functioned as network pivots. These are vulnerabilities that give external attackers internal network access. Think VPNs, firewalls, security gateways, etc. They serve an important function in any network but visibility into these devices can be challenging, making them prime targets for attackers.

In 2023 we saw a surge in attacks on these network appliances. Mass compromise events stemming from exploitation of network edge tech nearly doubled over the period studied — with 36% of all widely exploited vulnerabilities occurring within network perimeter technology. Looking back over the previous reports, we determined some 60% of all of the vulnerabilities Rapid7 analyzed in network edge devices over a three year period were exploited as zero-days, a disproportionate number when looking at the entirety of the vulnerabilities studied.

Over the four years Rapid7 has been categorizing this type of vulnerability, network edge devices have comprised 24% of exploited vulnerabilities and a quarter of all widespread threats.

The Dreaded Network Pivot: An Attack Intelligence Story

State-sponsored groups and ransomware groups like Cl0p, Inc, Bl00dy, Akira, Play, LockBit, and more went after network edge tech in 2023. Network edge devices are essential for modern network operations, but they also represent a major weak spot in cybersecurity defenses — one that these organized groups took advantage of in 2023.

There are a number of reasons for this. It can be difficult to detect intrusions on these types of devices as the capabilities for logging and threat detection vary depending on the specific devices used. Some do not log key events, they use a variety of firmware and (often proprietary) operating systems, and in some cases the firmware itself may be encrypted or obfuscated. This makes monitoring and detecting intrusions troublesome across different devices and developing a strategy for the entire spectrum of devices complex.

For more information about network edge technology vulnerabilities, as well as the latest data on ransomware, attacker utilities, widespread threats, file transfer vulns, and more, download the 2024 Attack Intelligence Report.

CVE-2024-24919: Check Point Security Gateway Information Disclosure

Post Syndicated from Rapid7 original https://blog.rapid7.com/2024/05/30/etr-cve-2024-24919-check-point-security-gateway-information-disclosure/

CVE-2024-24919: Check Point Security Gateway Information Disclosure

On May 28, 2024, Check Point published an advisory for CVE-2024-24919, a high-severity information disclosure vulnerability affecting Check Point Security Gateway devices configured with either the “IPSec VPN” or “Mobile Access” software blade.

On May 29, 2024, security firm mnemonic published a blog reporting that they have observed in-the-wild exploitation of CVE-2024-24919 since April 30, 2024, with threat actors leveraging the vulnerability to enumerate and extract password hashes for all local accounts, including accounts used to connect to Active Directory. They’ve also observed adversaries moving laterally and extracting the “ntds.dit” file from compromised customers’ Active Directory servers, within hours of an initial attack against a vulnerable Check Point Gateway.

On May 30, 2024, watchTowr published technical details of CVE-2024-24919 including a PoC.

The vulnerability allows an unauthenticated remote attacker to read the contents of an arbitrary file located on the affected appliance. For example, this allows an attacker to read the appliances /etc/shadow file, disclosing the password hashes for local accounts. The attacker is not limited to reading this file and may read other files that contain sensitive information. An attacker may be able to crack the password hashes for these local accounts, and if the Security Gateway allows password only authentication, the attacker may use the cracked passwords to authenticate.

Mitigation Guidance

According to the vendor advisory, the following products are vulnerable to CVE-2024-24919:

  • CloudGuard Network
  • Quantum Maestro
  • Quantum Scalable Chassis
  • Quantum Security Gateways
  • Quantum Spark Appliances

Check Point has advised that a Security Gateway is vulnerable if one of the following configuration is applied:

  • If the “IPSec VPN” blade has been enabled and the Security Gateway device is part of the “Remote Access” VPN community.
  • If the “Mobile Access” blade has been enabled.

Check Point has released hotfixes for Quantum Security Gateway, Quantum Maestro, Quantum Scalable Chassis, and Quantum Spark Appliances. We advise customers to refer to the Check Point advisory for the most current information on affected versions and hotfixes.

The vendor supplied hotfixes should be applied immediately. Rapid7 strongly recommends that Check Point Security Gateway customers examine their environments for signs of compromise and reset local account credentials in addition to applying vendor-provided fixes.

Check Point notes that exploit attempts their team has observed “focus on remote access scenarios with old local accounts with unrecommended password-only authentication.” The company recommends that customers check for local account usage, disable any unused local accounts, and add certificate-based authentication rather than password-only authentication. More information and recommendations on user and client authentication for remote access is available here.

Rapid7 Customers

A vulnerability check is in development for InsightVM and Nexpose customers to assess exposure to CVE-2024-24919. This blog will be updated with the latest information as and when it is available

InsightIDR and Managed Detection and Response customers have existing detection coverage through Rapid7’s expansive library of detection rules. Rapid7 recommends installing the Insight Agent on all applicable hosts to ensure visibility into suspicious processes and proper detection coverage. Below is a non-exhaustive list of detections that are deployed and will alert on post-exploitation behavior related to this vulnerability:

  • Suspicious Web Server Request – Successful Path Traversal Attack
  • Suspicious Web Request – Possible Check Point VPN (CVE-2024-24919) Exploitation

Patch Tuesday – May 2024

Post Syndicated from Adam Barnett original https://blog.rapid7.com/2024/05/14/patch-tuesday-may-2024/

Patch Tuesday - May 2024

Microsoft is addressing 61 vulnerabilities this May 2024 Patch Tuesday. Microsoft has evidence of in-the-wild exploitation and/or public disclosure for three of the vulnerabilities published today. At time of writing, two of the vulnerabilities patched today are listed on CISA KEV. Microsoft is also patching a single critical remote code execution (RCE) vulnerability today. Six browser vulnerabilities were published separately this month, and are not included in the total.

Windows DWM: zero-day EoP

The first of today’s zero-day vulnerabilities is CVE-2024-30051, an elevation of privilege (EoP) vulnerability in the Windows Desktop Windows Manager (DWM) Core Library which is listed on the CISA KEV list. Successful exploitation grants SYSTEM privileges. First introduced as part of Windows Vista, DWM is responsible for drawing everything on the display of a Windows system.

Reporters Securelist have linked exploitation of CVE-2024-30051 with deployment of QakBot malware, and the vulnerability while investigating a partial proof-of-concept contained within an unusual file originally submitted to VirusTotal by an unknown party. Securelist further notes that the exploitation method for CVE-2024-30051 is identical to a previous DWM zero-day vulnerability CVE-2023-36033, which Microsoft patched back in November 2023.

Courtesy of Microsoft’s recent enhancement of their security advisories to include Common Weakness Enumeration (CWE) data, the mechanism of exploitation is listed as CVE-122: Heap-based Buffer Overflow, which is just the sort of defect which recent US federal government calls for memory safe software development are designed to address.

MSHTML: zero-day security feature bypass

The Windows MSHTML platform receives a patch for CVE-2024-30040, a security feature bypass vulnerability for which Microsoft has evidence of exploitation in the wild, and which CISA has also listed on KEV.

The advisory states that an attacker would have to convince a user to open a malicious file; successful exploitation bypasses COM/OLE protections in Microsoft 365 and Microsoft Office to achieve code execution in the context of the user.

As Rapid7 has previously noted, MSHTML (also known as Trident) is still fully present in Windows — and unpatched assets are thus vulnerable to CVE-2024-30040 — regardless of whether or not a Windows asset has Internet Explorer 11 fully disabled.

Visual Studio: zero-day DoS

Rounding out today’s trio of zero-day vulnerabilities: a denial of service (DoS) vulnerability in Visual Studio.

Microsoft describes CVE-2024-30046 as requiring a highly complex attack to win a race condition through “[the investment of] time in repeated exploitation attempts through sending constant or intermittent data”. Since all data sent anywhere is transmitted either constantly or intermittently, and the rest of the advisory is short on detail, the potential impact of exploitation remains unclear.

Only Visual Studio 2022 receives an update, so older supported versions of Visual Studio are presumably unaffected.

SharePoint: critical post-auth RCE

SharePoint admins are no strangers to patches for critical RCE vulnerabilities. CVE-2024-30044 allows an authenticated attacker with Site Owner permissions or higher to achieve code execution in the context of SharePoint Server via upload of a specially crafted file, followed by specific API calls to trigger deserialization of the file’s parameters.

Microsoft considers exploitation of CVE-2024-30044 more likely, and the low attack complexity and network attack contribute to a relatively high CVSS 3.1 base score of 8.8. The advisory also lists the privileges required vector component as low, which is debatable given the Site Owner authentication requirement for exploitation.

Microsoft has previously published an accessible introduction to deserialization vulnerabilities and the risks of assuming data to be trustworthy, aimed at .NET developers.

Excel: arbitrary code execution

Microsoft Excel receives a patch for CVE-2024-30042. Successful exploitation requires that an attacker convince the user to open a malicious file, which leads to code execution, presumably in the context of the user.

Remote Access Connection Manager: last month’s vulns repatched

Also of interest today: Microsoft is releasing updated patches for three Windows Remote Access Connection Manager information disclosure vulnerabilities originally published in April 2024: CVE-2024-26207, CVE-2024-26217, and CVE-2024-28902. Microsoft states that an unspecified regression introduced by the April patches is resolved by installation of the May patches.

Mobile Broadband driver: 11 local USB RCEs

The Windows Mobile Broadband driver receives patches for no fewer than 11 vulnerabilities; for example, CVE-2024-29997. All 11 vulnerabilities appear very similar based on the advisories. In each case, the relatively low CVSS base score of 6.8 reflects that an attacker must be physically present and insert a malicious USB device into the target host.

Third-party open source patches

Back in 2021, Microsoft started publishing the Assigning CNA (CVE Numbering Authority) field on advisories. A welcome trend of publishing advisories for third-party software included in Microsoft products continues this month with two vulnerabilities in MinGit patched as part of the May 2024 Windows security updates. MinGit is published by GitHub and consumed by Visual Studio. CVE-2024-32002 describes a RCE vulnerability on case-insensitive filesystems that support symlinks — macOS APFS comes to mind — and CVE-2024-32004 describes RCE while cloning specially-crafted local repositories.

Lifecycle update

There are no significant changes to the lifecycle phase of Microsoft products this month.

Summary Charts

Patch Tuesday - May 2024
Mobile Broadband is this month’s winner, albeit for 11 apparently very similar vulns.
Patch Tuesday - May 2024
RCE: the people’s champion.
Patch Tuesday - May 2024
The lesser-spotted Tampering impact type makes an appearance this month.

Summary Tables

Apps vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-30059 Microsoft Intune for Android Mobile Application Management Tampering Vulnerability No No 6.1
CVE-2024-30041 Microsoft Bing Search Spoofing Vulnerability No No 5.4

Azure vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-30053 Azure Migrate Cross-Site Scripting Vulnerability No No 6.5

Browser vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-30055 Microsoft Edge (Chromium-based) Spoofing Vulnerability No No 5.4
CVE-2024-4671 Chromium: CVE-2024-4671 Use after free in Visuals No No N/A
CVE-2024-4559 Chromium: CVE-2024-4559 Heap buffer overflow in WebAudio No No N/A
CVE-2024-4558 Chromium: CVE-2024-4558 Use after free in ANGLE No No N/A
CVE-2024-4368 Chromium: CVE-2024-4368 Use after free in Dawn No No N/A
CVE-2024-4331 Chromium: CVE-2024-4331 Use after free in Picture In Picture No No N/A

Developer Tools vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-32002 CVE-2024-32002 Recursive clones on case-insensitive filesystems that support symlinks are susceptible to Remote Code Execution No No 9
CVE-2024-32004 GitHub: CVE-2024-32004 Remote Code Execution while cloning special-crafted local repositories No No 8.1
CVE-2024-30045 .NET and Visual Studio Remote Code Execution Vulnerability No No 6.3
CVE-2024-30046 Visual Studio Denial of Service Vulnerability No Yes 5.9

ESU vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-30030 Win32k Elevation of Privilege Vulnerability No No 7.8

ESU Windows vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-30009 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability No No 8.8
CVE-2024-30010 Windows Hyper-V Remote Code Execution Vulnerability No No 8.8
CVE-2024-30006 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability No No 8.8
CVE-2024-30020 Windows Cryptographic Services Remote Code Execution Vulnerability No No 8.1
CVE-2024-30049 Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability No No 7.8
CVE-2024-29996 Windows Common Log File System Driver Elevation of Privilege Vulnerability No No 7.8
CVE-2024-30025 Windows Common Log File System Driver Elevation of Privilege Vulnerability No No 7.8
CVE-2024-30031 Windows CNG Key Isolation Service Elevation of Privilege Vulnerability No No 7.8
CVE-2024-30028 Win32k Elevation of Privilege Vulnerability No No 7.8
CVE-2024-30038 Win32k Elevation of Privilege Vulnerability No No 7.8
CVE-2024-30027 NTFS Elevation of Privilege Vulnerability No No 7.8
CVE-2024-30014 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability No No 7.5
CVE-2024-30015 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability No No 7.5
CVE-2024-30022 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability No No 7.5
CVE-2024-30023 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability No No 7.5
CVE-2024-30024 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability No No 7.5
CVE-2024-30029 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability No No 7.5
CVE-2024-30037 Windows Common Log File System Driver Elevation of Privilege Vulnerability No No 7.5
CVE-2024-30011 Windows Hyper-V Denial of Service Vulnerability No No 6.5
CVE-2024-30036 Windows Deployment Services Information Disclosure Vulnerability No No 6.5
CVE-2024-30019 DHCP Server Service Denial of Service Vulnerability No No 6.5
CVE-2024-30039 Windows Remote Access Connection Manager Information Disclosure Vulnerability No No 5.5
CVE-2024-30016 Windows Cryptographic Services Information Disclosure Vulnerability No No 5.5
CVE-2024-30050 Windows Mark of the Web Security Feature Bypass Vulnerability No No 5.4

Microsoft Dynamics vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-30047 Dynamics 365 Customer Insights Spoofing Vulnerability No No 7.6
CVE-2024-30048 Dynamics 365 Customer Insights Spoofing Vulnerability No No 7.6

Microsoft Office vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-30044 Microsoft SharePoint Server Remote Code Execution Vulnerability No No 8.8
CVE-2024-30042 Microsoft Excel Remote Code Execution Vulnerability No No 7.8
CVE-2024-30043 Microsoft SharePoint Server Information Disclosure Vulnerability No No 6.5

SQL Server vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-30054 Microsoft Power BI Client JavaScript SDK Information Disclosure Vulnerability No No 6.5

Windows vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-30040 Windows MSHTML Platform Security Feature Bypass Vulnerability Yes No 8.8
CVE-2024-30017 Windows Hyper-V Remote Code Execution Vulnerability No No 8.8
CVE-2024-30007 Microsoft Brokering File System Elevation of Privilege Vulnerability No No 8.8
CVE-2024-30018 Windows Kernel Elevation of Privilege Vulnerability No No 7.8
CVE-2024-30051 Windows DWM Core Library Elevation of Privilege Vulnerability Yes Yes 7.8
CVE-2024-30032 Windows DWM Core Library Elevation of Privilege Vulnerability No No 7.8
CVE-2024-30035 Windows DWM Core Library Elevation of Privilege Vulnerability No No 7.8
CVE-2024-29994 Microsoft Windows SCSI Class System File Elevation of Privilege Vulnerability No No 7.8
CVE-2024-26238 Microsoft PLUGScheduler Scheduled Task Elevation of Privilege Vulnerability No No 7.8
CVE-2024-30033 Windows Search Service Elevation of Privilege Vulnerability No No 7
CVE-2024-29997 Windows Mobile Broadband Driver Remote Code Execution Vulnerability No No 6.8
CVE-2024-29998 Windows Mobile Broadband Driver Remote Code Execution Vulnerability No No 6.8
CVE-2024-29999 Windows Mobile Broadband Driver Remote Code Execution Vulnerability No No 6.8
CVE-2024-30000 Windows Mobile Broadband Driver Remote Code Execution Vulnerability No No 6.8
CVE-2024-30001 Windows Mobile Broadband Driver Remote Code Execution Vulnerability No No 6.8
CVE-2024-30002 Windows Mobile Broadband Driver Remote Code Execution Vulnerability No No 6.8
CVE-2024-30003 Windows Mobile Broadband Driver Remote Code Execution Vulnerability No No 6.8
CVE-2024-30004 Windows Mobile Broadband Driver Remote Code Execution Vulnerability No No 6.8
CVE-2024-30005 Windows Mobile Broadband Driver Remote Code Execution Vulnerability No No 6.8
CVE-2024-30012 Windows Mobile Broadband Driver Remote Code Execution Vulnerability No No 6.8
CVE-2024-30021 Windows Mobile Broadband Driver Remote Code Execution Vulnerability No No 6.8
CVE-2024-30008 Windows DWM Core Library Information Disclosure Vulnerability No No 5.5
CVE-2024-30034 Windows Cloud Files Mini Filter Driver Information Disclosure Vulnerability No No 5.5

Unauthenticated CrushFTP Zero-Day Enables Complete Server Compromise

Post Syndicated from Caitlin Condon original https://blog.rapid7.com/2024/04/23/etr-unauthenticated-crushftp-zero-day-enables-complete-server-compromise/

Unauthenticated CrushFTP Zero-Day Enables Complete Server Compromise

On Friday, April 19, 2024, managed file transfer vendor CrushFTP released information to a private mailing list on a new zero-day vulnerability affecting versions below 10.7.1 and 11.1.0 (as well as legacy 9.x versions) across all platforms. No CVE was assigned by the vendor, but a third-party CVE Numbering Authority (CNA) assigned CVE-2024-4040 as of Monday, April 22. According to a public-facing vendor advisory, the vulnerability is ostensibly a VFS sandbox escape in CrushFTP managed file transfer software that allows “remote attackers with low privileges to read files from the filesystem outside of VFS Sandbox.”

Rapid7’s vulnerability research team analyzed CVE-2024-4040 and determined that it is fully unauthenticated and trivially exploitable; successful exploitation allows for not only arbitrary file read as root, but also authentication bypass for administrator account access and full remote code execution. Successful exploitation allows a remote, unauthenticated attacker to access and potentially exfiltrate all files stored on the CrushFTP instance.

Although the vulnerability has been formally described as an arbitrary file read, Rapid7 believes that it can be more accurately categorized as a server-side template injection (SSTI). CVE-2024-4040 was exploited in the wild as a zero-day vulnerability, per private customer communications from the vendor and a public Reddit post from security firm CrowdStrike. Using a query that looks for a specific JavaScript file in the web interface, there appear to be roughly 5,200 instances of CrushFTP exposed to the public internet.

Mitigation guidance

According to the advisory, CrushFTP versions below 11.1 are vulnerable to CVE-2024-4040. The following versions of CrushFTP are vulnerable as of April 22, 2024:

  • All legacy CrushFTP 9 installations
  • CrushFTP 10 before v10.7.1
  • CrushFTP 11 before v11.1.0

The vulnerability has been patched in version 11.1.0 for the 11.x version stream, and in version 10.7.1 for the 10.x version stream. The vendor advisory emphasizes the importance of updating to a fixed version of CrushFTP on an urgent basis. Rapid7 echoes this guidance, particularly given our team’s findings on the true impact of the issue, and urges organizations to apply the vendor-supplied patch on an emergency basis, without waiting for a typical patch cycle to occur.

While the vendor guidance as of April 22 says that “customers using a DMZ in front of their main CrushFTP instance are partially protected,” it’s unclear whether this is actually an effective barrier to exploitation. Out of an abundance of caution, Rapid7 advises against relying on a DMZ as a mitigation strategy.

CrushFTP customers can harden their servers against administrator-level remote code execution attacks by enabling Limited Server mode with the most restrictive configuration possible. Organizations should also use firewalls wherever possible to aggressively restrict which IP addresses are permitted to access CrushFTP services.

Rapid7 customers

A vulnerability check for InsightVM and Nexpose customers is in development and expected to be available in either today’s (Tuesday, April 23) or tomorrow’s (Wednesday, April 24) content release.

CVE-2024-3400: Critical Command Injection Vulnerability in Palo Alto Networks Firewalls

Post Syndicated from Caitlin Condon original https://blog.rapid7.com/2024/04/12/etr-cve-2024-3400-critical-command-injection-vulnerability-in-palo-alto-networks-firewalls-2/

CVE-2024-3400: Critical Command Injection Vulnerability in Palo Alto Networks Firewalls

On Friday, April 12, Palo Alto Networks published an advisory on CVE-2024-3400, a CVSS 10 vulnerability in several versions of PAN-OS, the operating system that runs on the company’s firewalls. According to the vendor advisory, if conditions for exploitability are met, the vulnerability may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. The vulnerability is currently unpatched. Patches are expected to be available by Sunday, April 14, 2024.

Note: Palo Alto Networks customers are only vulnerable if they are using PAN-OS 10.2, PAN-OS 11.0, and/or PAN-OS 11.1 firewalls with the configurations for both GlobalProtect gateway and device telemetry enabled.

Palo Alto Networks’ advisory indicates that CVE-2024-3400 has been exploited in the wild in “a limited number of attacks.” The company has given the vulnerability their highest urgency rating.

Mitigation guidance

CVE-2024-3400 is unpatched as of Friday, April 12 and affects the following versions of PAN-OS when GlobalProtect gateway and device telemetry are enabled:

  • PAN-OS 11.1 (before 11.1.2-h3)
  • PAN-OS 11.0 (before 11.0.4-h1)
  • PAN-OS 10.2 (before 10.2.9-h1)

Palo Alto Networks’ Cloud NGFW and Prisma Access solutions are not affected; nor are earlier versions of PAN-OS (10.1, 10.0, 9.1, and 9.0). For additional information and the latest remediation guidance, please see Palo Alto Networks’ advisory.

The company has indicated that hotfix releases of PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, and PAN-OS 11.1.2-h3 will be released by April 14, along with hotfixes for “all later PAN-OS versions.”

Rapid7 recommends applying one of the below vendor-provided mitigations immediately:

  • Customers with a Threat Prevention subscription can block attacks for this vulnerability by enabling Threat ID 95187 (introduced in Applications and Threats content version 8833-8682). In addition to enabling Threat ID 95187, customers should ensure vulnerability protection has been applied to their GlobalProtect interface to prevent exploitation of this issue on their device. More information here.
  • Those unable to apply the Threat Prevention mitigation can mitigate by temporarily disabling device telemetry until the device is upgraded to a fixed PAN-OS version. Once upgraded, device telemetry should be re-enabled on the device.

Rapid7 customers

Authenticated vulnerability checks are expected to be available to InsightVM and Nexpose customers in today’s (Friday, April 12) content release.

Per the vendor advisory, organizations that are running vulnerable firewalls and are concerned about potential exploitation in their environments can open a support case with Palo Alto Networks to determine if their device logs match known indicators of compromise (IoCs) for this vulnerability.

Patch Tuesday – April 2024

Post Syndicated from Adam Barnett original https://blog.rapid7.com/2024/04/09/patch-tuesday-april-2024/

Patch Tuesday - April 2024

Microsoft is addressing 149 vulnerabilities this April 2024 Patch Tuesday, which is significantly more than usual. For the second month in a row, Microsoft indicated that they aren’t aware of prior public disclosure or exploitation in the wild for any of the vulnerabilities patched today, which means no new additions to CISA KEV at time of writing.

Despite the large number of vulnerabilities published today, Microsoft has ranked only three as critical under its proprietary severity scale. Five browser vulnerabilities were published separately this month, and are not included in the total.

Microsoft is now including two additional data points on advisories: Common Weakness Enumeration (CWE) and Vector String Source assessments.

Defender for IoT: three critical RCEs

Microsoft Defender for IoT receives patches for three critical remote code execution (RCE) vulnerabilities. Microsoft describes Defender for IoT as an Azure-deployable agentless monitoring solution for Internet of Things (IoT) and Operational Technology (OT) devices.

The advisory for CVE-2024-21322 is light on detail, but notes that exploitation requires the attacker to have existing administrative access to the Defender for IoT web application; this limits the attacker value in isolation, although the potential for insider threat or use as part of an exploit chain remains.

CVE-2024-21323 describes an update-based attack and requires prior authentication; an attacker with the ability to control how a Defender for IoT sensor receives updates could cause the sensor device to apply a malicious update package, overwriting arbitrary files on the sensor filesystem via a path traversal weakness.

Exploitation of CVE-2024-29053 allows arbitrary file upload for any authenticated user, also via a path traversal weakness, although the advisory does not specify what the target is other than “the server”.

The Defender for IoT 24.1.3 release notes do not call out these security fixes and describe only improvements to clock drift detection and unspecified stability improvements; this omission highlights the evergreen value of timely patching.

SharePoint: XSS spoofing

SharePoint receives a patch for CVE-2024-26251, a spoofing vulnerability which abuses cross-site scripting (XSS) and affects SharePoint Server 2016, 2019, and Subscription Edition. Exploitation requires multiple conditions to be met, including but not limited to a reliance on user actions, token impersonation, and specific application configuration. On that basis, although Microsoft is in possession of mature exploit code, exploitation is rated less likely.

Excel: arbitrary file execution

Microsoft is patching a single Office vulnerability today. CVE-2024-26257 describes a RCE vulnerability in Excel; exploitation requires that the attacker convinces the user to open a specially-crafted malicious file.

Patches for Windows-based click-to-run (C2R) Office deployments and Microsoft 365 Apps for Enterprise are available immediately. Not for the first time, a patch for Office for Mac is unavailable at time of writing, and will follow at some unspecified point in the future.

SQL Server OLE DB driver: dozens of RCE

The Microsoft OLE DB Driver for SQL Server receives patches for no fewer than 38 separate RCE vulnerabilities today, which might be a record for a single component. The common theme here is that an attacker could trick a user into connecting to a malicious SQL server to achieve code execution in the context of the client.

All quiet on the Exchange front

There are no security patches for Exchange this month.

Microsoft advisory metadata: CWE and Vector String Source

The addition of CWE assessments to Microsoft security advisories helps pinpoint the generic root cause of a vulnerability; e.g., CVE-2024-21322 is assigned “CWE-77: Improper Neutralization of Special Elements used in a Command (‘Command Injection’).” By embracing CWE taxonomy, Microsoft is moving away from its own proprietary system to describe root cause. The CWE program has recently updated its guidance on mapping CVEs to a CWE Root Cause.

Analysis of CWE trends can help developers reduce future occurrences through improved Software Development Life Cycle (SDLC) workflows and testing, as well as helping defenders understand where to direct defense-in-depth and deployment-hardening efforts for best return on investment. At time of writing, the addition of CWE assessments does not appear to be retroactive.

The Common Vulnerability Scoring System (CVSS) is a widely-used standard for evaluation of vulnerability severity, and Microsoft has helpfully provided CVSS data for each vulnerability for a long time. The CVSS vector describes the variables which comprise the overall CVSS severity score for a vulnerability. The addition of Vector String Source — typically, the entity providing the CVSS assessment on a Microsoft vulnerability will be Microsoft — provides further welcome clarity, at least for vulnerabilities where Microsoft is the CVE Numbering Authority (CNA). It may not be a coincidence that Microsoft is choosing to start explicitly describing the source of the CVSS vector during the ongoing uncertainty around the future of the NVD program.

Lifecycle update

Several Microsoft products move past the end of mainstream support after today:

  • Azure DevOps Server 2019.
  • System Center 2019.
  • Visual Studio 2019.

Additionally, some older products move past the end of extended support, including:

  • Microsoft Deployment Agent 2013.
  • Microsoft Diagnostics and Recovery Toolset 8.1.
  • Visual Studio 2013.

Summary Charts

Patch Tuesday - April 2024
38 is a big number in this context.
Patch Tuesday - April 2024
Blowout victory for RCE this month.

Patch Tuesday - April 2024
The sheer volume of OLE DB provider for SQL vulns eclipses everything else this month.

Summary Tables

Azure vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-29990 Microsoft Azure Kubernetes Service Confidential Container Elevation of Privilege Vulnerability No No 9
CVE-2024-29993 Azure CycleCloud Elevation of Privilege Vulnerability No No 8.8
CVE-2024-29989 Azure Monitor Agent Elevation of Privilege Vulnerability No No 8.4
CVE-2024-29063 Azure AI Search Information Disclosure Vulnerability No No 7.3
CVE-2024-21424 Azure Compute Gallery Elevation of Privilege Vulnerability No No 6.5
CVE-2024-26193 Azure Migrate Remote Code Execution Vulnerability No No 6.4
CVE-2024-28917 Azure Arc-enabled Kubernetes Extension Cluster-Scope Elevation of Privilege Vulnerability No No 6.2
CVE-2024-20685 Azure Private 5G Core Denial of Service Vulnerability No No 5.9
CVE-2024-29992 Azure Identity Library for .NET Information Disclosure Vulnerability No No 5.5

Browser vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-29981 Microsoft Edge (Chromium-based) Spoofing Vulnerability No No 4.3
CVE-2024-29049 Microsoft Edge (Chromium-based) Webview2 Spoofing Vulnerability No No 4.1
CVE-2024-3159 Chromium: CVE-2024-3159 Out of bounds memory access in V8 No No N/A
CVE-2024-3158 Chromium: CVE-2024-3158 Use after free in Bookmarks No No N/A
CVE-2024-3156 Chromium: CVE-2024-3156 Inappropriate implementation in V8 No No N/A

Developer Tools vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-21409 .NET, .NET Framework, and Visual Studio Remote Code Execution Vulnerability No No 7.3

ESU vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-20688 Secure Boot Security Feature Bypass Vulnerability No No 7.1
CVE-2024-20689 Secure Boot Security Feature Bypass Vulnerability No No 7.1

Microsoft Office vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-26257 Microsoft Excel Remote Code Execution Vulnerability No No 7.8
CVE-2024-26251 Microsoft SharePoint Server Spoofing Vulnerability No No 6.8

Other vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-20670 Outlook for Windows Spoofing Vulnerability No No 8.1

SQL Server vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-28906 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability No No 8.8
CVE-2024-28908 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability No No 8.8
CVE-2024-28909 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability No No 8.8
CVE-2024-28910 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability No No 8.8
CVE-2024-28911 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability No No 8.8
CVE-2024-28912 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability No No 8.8
CVE-2024-28913 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability No No 8.8
CVE-2024-28914 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability No No 8.8
CVE-2024-28915 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability No No 8.8
CVE-2024-28939 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability No No 8.8
CVE-2024-28942 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability No No 8.8
CVE-2024-28945 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability No No 8.8
CVE-2024-29047 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability No No 8.8
CVE-2024-28926 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability No No 8.8
CVE-2024-28927 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability No No 8.8
CVE-2024-28940 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability No No 8.8
CVE-2024-28944 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability No No 8.8
CVE-2024-29044 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability No No 8.8
CVE-2024-29046 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability No No 8.8
CVE-2024-29048 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability No No 8.8
CVE-2024-29982 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability No No 8.8
CVE-2024-29983 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability No No 8.8
CVE-2024-29984 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability No No 8.8
CVE-2024-29985 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability No No 8.8
CVE-2024-29043 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability No No 8.8
CVE-2024-28941 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability No No 8.8
CVE-2024-28943 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability No No 8.8
CVE-2024-29045 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability No No 7.5

SQL Server Developer Tools vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-28929 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability No No 8.8
CVE-2024-28931 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability No No 8.8
CVE-2024-28932 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability No No 8.8
CVE-2024-28936 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability No No 8.8
CVE-2024-28930 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability No No 8.8
CVE-2024-28933 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability No No 8.8
CVE-2024-28934 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability No No 8.8
CVE-2024-28935 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability No No 8.8
CVE-2024-28937 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability No No 8.8
CVE-2024-28938 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability No No 8.8

System Center vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-21323 Microsoft Defender for IoT Remote Code Execution Vulnerability No No 8.8
CVE-2024-29053 Microsoft Defender for IoT Remote Code Execution Vulnerability No No 8.8
CVE-2024-21322 Microsoft Defender for IoT Remote Code Execution Vulnerability No No 7.2
CVE-2024-21324 Microsoft Defender for IoT Elevation of Privilege Vulnerability No No 7.2
CVE-2024-29055 Microsoft Defender for IoT Elevation of Privilege Vulnerability No No 7.2
CVE-2024-29054 Microsoft Defender for IoT Elevation of Privilege Vulnerability No No 7.2

Windows vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-29988 SmartScreen Prompt Security Feature Bypass Vulnerability No No 8.8
CVE-2024-26256 libarchive Remote Code Execution Vulnerability No No 7.8
CVE-2024-26235 Windows Update Stack Elevation of Privilege Vulnerability No No 7.8
CVE-2024-29052 Windows Storage Elevation of Privilege Vulnerability No No 7.8
CVE-2024-26245 Windows SMB Elevation of Privilege Vulnerability No No 7.8
CVE-2024-20693 Windows Kernel Elevation of Privilege Vulnerability No No 7.8
CVE-2024-26218 Windows Kernel Elevation of Privilege Vulnerability No No 7.8
CVE-2024-26237 Windows Defender Credential Guard Elevation of Privilege Vulnerability No No 7.8
CVE-2024-21447 Windows Authentication Elevation of Privilege Vulnerability No No 7.8
CVE-2024-28920 Secure Boot Security Feature Bypass Vulnerability No No 7.8
CVE-2024-28905 Microsoft Brokering File System Elevation of Privilege Vulnerability No No 7.8
CVE-2024-28904 Microsoft Brokering File System Elevation of Privilege Vulnerability No No 7.8
CVE-2024-28907 Microsoft Brokering File System Elevation of Privilege Vulnerability No No 7.8
CVE-2024-23593 Lenovo: CVE-2024-23593 Zero Out Boot Manager and drop to UEFI Shell No No 7.8
CVE-2024-26254 Microsoft Virtual Machine Bus (VMBus) Denial of Service Vulnerability No No 7.5
CVE-2024-26219 HTTP.sys Denial of Service Vulnerability No No 7.5
CVE-2024-26221 Windows DNS Server Remote Code Execution Vulnerability No No 7.2
CVE-2024-26222 Windows DNS Server Remote Code Execution Vulnerability No No 7.2
CVE-2024-26223 Windows DNS Server Remote Code Execution Vulnerability No No 7.2
CVE-2024-26224 Windows DNS Server Remote Code Execution Vulnerability No No 7.2
CVE-2024-26227 Windows DNS Server Remote Code Execution Vulnerability No No 7.2
CVE-2024-26231 Windows DNS Server Remote Code Execution Vulnerability No No 7.2
CVE-2024-26233 Windows DNS Server Remote Code Execution Vulnerability No No 7.2
CVE-2024-26236 Windows Update Stack Elevation of Privilege Vulnerability No No 7
CVE-2024-26243 Windows USB Print Driver Elevation of Privilege Vulnerability No No 7
CVE-2024-26213 Microsoft Brokering File System Elevation of Privilege Vulnerability No No 7
CVE-2024-23594 Lenovo: CVE-2024-23594 Stack Buffer Overflow in LenovoBT.efi No No 6.4
CVE-2024-29064 Windows Hyper-V Denial of Service Vulnerability No No 6.2
CVE-2024-26255 Windows Remote Access Connection Manager Information Disclosure Vulnerability No No 5.5
CVE-2024-26172 Windows DWM Core Library Information Disclosure Vulnerability No No 5.5
CVE-2024-26220 Windows Mobile Hotspot Information Disclosure Vulnerability No No 5

Windows ESU vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-26179 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability No No 8.8
CVE-2024-26200 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability No No 8.8
CVE-2024-26205 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability No No 8.8
CVE-2024-20678 Remote Procedure Call Runtime Remote Code Execution Vulnerability No No 8.8
CVE-2024-26214 Microsoft WDAC SQL Server ODBC Driver Remote Code Execution Vulnerability No No 8.8
CVE-2024-26210 Microsoft WDAC OLE DB Provider for SQL Server Remote Code Execution Vulnerability No No 8.8
CVE-2024-26244 Microsoft WDAC OLE DB Provider for SQL Server Remote Code Execution Vulnerability No No 8.8
CVE-2024-29050 Windows Cryptographic Services Remote Code Execution Vulnerability No No 8.4
CVE-2024-26180 Secure Boot Security Feature Bypass Vulnerability No No 8
CVE-2024-26189 Secure Boot Security Feature Bypass Vulnerability No No 8
CVE-2024-26240 Secure Boot Security Feature Bypass Vulnerability No No 8
CVE-2024-28925 Secure Boot Security Feature Bypass Vulnerability No No 8
CVE-2024-26230 Windows Telephony Server Elevation of Privilege Vulnerability No No 7.8
CVE-2024-26239 Windows Telephony Server Elevation of Privilege Vulnerability No No 7.8
CVE-2024-26211 Windows Remote Access Connection Manager Elevation of Privilege Vulnerability No No 7.8
CVE-2024-26228 Windows Cryptographic Services Security Feature Bypass Vulnerability No No 7.8
CVE-2024-26229 Windows CSC Service Elevation of Privilege Vulnerability No No 7.8
CVE-2024-26241 Win32k Elevation of Privilege Vulnerability No No 7.8
CVE-2024-26175 Secure Boot Security Feature Bypass Vulnerability No No 7.8
CVE-2024-29061 Secure Boot Security Feature Bypass Vulnerability No No 7.8
CVE-2024-26158 Microsoft Install Service Elevation of Privilege Vulnerability No No 7.8
CVE-2024-26248 Windows Kerberos Elevation of Privilege Vulnerability No No 7.5
CVE-2024-28896 Secure Boot Security Feature Bypass Vulnerability No No 7.5
CVE-2024-26212 DHCP Server Service Denial of Service Vulnerability No No 7.5
CVE-2024-26215 DHCP Server Service Denial of Service Vulnerability No No 7.5
CVE-2024-26194 Secure Boot Security Feature Bypass Vulnerability No No 7.4
CVE-2024-26216 Windows File Server Resource Management Service Elevation of Privilege Vulnerability No No 7.3
CVE-2024-26232 Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability No No 7.3
CVE-2024-29066 Windows Distributed File System (DFS) Remote Code Execution Vulnerability No No 7.2
CVE-2024-26208 Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability No No 7.2
CVE-2024-26195 DHCP Server Service Remote Code Execution Vulnerability No No 7.2
CVE-2024-26202 DHCP Server Service Remote Code Execution Vulnerability No No 7.2
CVE-2024-29062 Secure Boot Security Feature Bypass Vulnerability No No 7.1
CVE-2024-26242 Windows Telephony Server Elevation of Privilege Vulnerability No No 7
CVE-2024-26252 Windows rndismp6.sys Remote Code Execution Vulnerability No No 6.8
CVE-2024-26253 Windows rndismp6.sys Remote Code Execution Vulnerability No No 6.8
CVE-2024-26168 Secure Boot Security Feature Bypass Vulnerability No No 6.8
CVE-2024-28897 Secure Boot Security Feature Bypass Vulnerability No No 6.8
CVE-2024-20669 Secure Boot Security Feature Bypass Vulnerability No No 6.7
CVE-2024-26250 Secure Boot Security Feature Bypass Vulnerability No No 6.7
CVE-2024-28921 Secure Boot Security Feature Bypass Vulnerability No No 6.7
CVE-2024-28919 Secure Boot Security Feature Bypass Vulnerability No No 6.7
CVE-2024-28903 Secure Boot Security Feature Bypass Vulnerability No No 6.7
CVE-2024-26171 Secure Boot Security Feature Bypass Vulnerability No No 6.7
CVE-2024-28924 Secure Boot Security Feature Bypass Vulnerability No No 6.7
CVE-2024-26234 Proxy Driver Spoofing Vulnerability No No 6.7
CVE-2024-26183 Windows Kerberos Denial of Service Vulnerability No No 6.5
CVE-2024-26226 Windows Distributed File System (DFS) Information Disclosure Vulnerability No No 6.5
CVE-2024-28923 Secure Boot Security Feature Bypass Vulnerability No No 6.4
CVE-2024-28898 Secure Boot Security Feature Bypass Vulnerability No No 6.3
CVE-2024-20665 BitLocker Security Feature Bypass Vulnerability No No 6.1
CVE-2024-28901 Windows Remote Access Connection Manager Information Disclosure Vulnerability No No 5.5
CVE-2024-28902 Windows Remote Access Connection Manager Information Disclosure Vulnerability No No 5.5
CVE-2024-26207 Windows Remote Access Connection Manager Information Disclosure Vulnerability No No 5.5
CVE-2024-26217 Windows Remote Access Connection Manager Information Disclosure Vulnerability No No 5.5
CVE-2024-28900 Windows Remote Access Connection Manager Information Disclosure Vulnerability No No 5.5
CVE-2024-26209 Microsoft Local Security Authority Subsystem Service Information Disclosure Vulnerability No No 5.5
CVE-2024-2201 Intel: CVE-2024-2201 Branch History Injection No No 4.7
CVE-2024-29056 Windows Authentication Elevation of Privilege Vulnerability No No 4.3
CVE-2024-28922 Secure Boot Security Feature Bypass Vulnerability No No 4.1

Rapid7 offers continued vulnerability coverage in the face of NVD delays

Post Syndicated from Tyler Terenzoni original https://blog.rapid7.com/2024/03/18/rapid7-offers-continued-vulnerability-coverage-in-the-face-of-nvd-delays/

Rapid7 offers continued vulnerability coverage in the face of NVD delays

Recently, the US National Institute of Standards and Technology (NIST) announced on the National Vulnerability Database (NVD) site that there would be delays in adding information on newly published CVEs. NVD enriches CVEs with basic details about a vulnerability like the vulnerability’s CVSS score, software products impacted by a CVE, information on the bug, patching status, etc. Since February 12th, 2024, NVD has largely stopped enriching vulnerabilities.

Given the broad usage and visibility into the NVD, the delays are sure to have a widespread impact on security operations that rely on timely and effective vulnerability information to prioritize and respond to risk introduced by software vulnerabilities.

We want to assure our customers that this does not impact Rapid7’s ability to provide coverage and checks for vulnerabilities in our products. At Rapid7, we believe in a multi-layered approach to vulnerability detection creation and risk scoring, which means that our products are not completely reliant on any single source of information, NVD included.

In fact, for vulnerability creation, we largely use vendor advisories, and as such our customers will continue to see new vulnerability detections made available without interruption. For vulnerability prioritization, our vulnerability researchers aggregate vulnerability intelligence from multiple sources, including our own research, to provide accurate information and risk scoring. Example areas of our coverage that are currently unaffected by the NVD delays include:

  • Microsoft vulnerabilities – CVSS information is pulled directly from Microsoft advisory,
  • Vulnerabilities with coverage that are present on the CISA KEV list, and,
  • Any vulnerabilities that qualify for our Emergent Threat Response process – our researchers manually analyze and enrich these vulnerabilities as part of our ETR process

Below is an example of a latest vulnerability for Microsoft CVE-2024-26166 with the CVSS and Active Risk scores unaffected by NVD:

Rapid7 offers continued vulnerability coverage in the face of NVD delays

All our vulnerability detections, including the ones leveraging NVD for enrichment details, will continue to be supplemented by our proprietary risk scoring algorithm, Active Risk.

Active Risk leverages intelligence from multiple threat feeds, in addition to CVSS score, like AttackerKB, Metasploit, ExploitDB, Project Heisenberg, CISA KEV list, and other third-party dark web sources to provide security teams with threat-aware vulnerability risk scores on scale of 0-1000. This approach ensures customers can continue to prioritize and remediate risk despite the NVD delays.

First and foremost, we want to assure our customers that they will continue to have coverage and checks across emergent and active vulnerabilities across our products. Our teams will continue to invest in diverse vulnerability enrichment information, and we are actively working on new updates that will ensure there is no additional impact to risk scoring. We continue to monitor the situation, share relevant information as it becomes available, and offer additional guidance for customers via our support channels.

Patch Tuesday – March 2024

Post Syndicated from Adam Barnett original https://blog.rapid7.com/2024/03/12/patch-tuesday-march-2024/

Patch Tuesday - March 2024

Microsoft is addressing 60 vulnerabilities this March 2024 Patch Tuesday. Microsoft indicated that they aren’t aware of prior public disclosure or exploitation in the wild for any of the vulnerabilities patched today, which means no new additions to CISA KEV at time of writing. Microsoft is patching a single critical remote code execution (RCE) in Windows, which could allow virtual machine escape from a Hyper-V guest. Four browser vulnerabilities were published separately this month, and are not included in the total.

Windows Hyper-V: critical RCE VM escape

Attackers hoping to escape from a Hyper-V guest virtual machine (VM) and achieve RCE on the Hyper-V host will be interested in CVE-2024-21407. Microsoft describes attack complexity as high: an attacker must first gather information specific to the environment and carry out unspecified preparatory work. Exploitation is via specially crafted file operation requests on the VM to hardware resources on the VM. Every supported version of Windows receives a patch. The advisory describes that no privileges are required for exploitation of the Hyper-V host, although an attacker will presumably need an existing foothold on a guest VM.

Exchange: RCE

A single Exchange vulnerability receives a patch this month. Microsoft describes CVE-2024-26198 as a RCE vulnerability for Exchange, where an attacker places a specially-crafted DLL file into a network share or other file-sharing resource, and convinces the user to open it. Although the FAQ on the advisory asks: “What is the target context of the remote code execution?”, the answer boils down to ”[exploitation] results in loading a malicious DLL”. Since the context of the user opening the malicious file is not specified — an Exchange admin? a user running a mail client connecting to Exchange? something else altogether? — it remains unclear what an attacker might be able to achieve.

It remains vitally important to patch any on-premises instances of Exchange, a perennial attacker favourite. Exchange 2016 admins who were dismayed by the lack of patch for last month’s CVE-2024-21410 may feel somewhat reassured that Microsoft has issued a patch which claims to fully remediate this month’s CVE-2024-26198, but in the absence of any explicit advice to the contrary, a fully-patched Exchange 2016 remains unprotected against CVE-2024-21410 unless the guidance on that advisory is followed.

SharePoint: arbitrary code execution

SharePoint receives a patch for CVE-2024-21426, which Microsoft describes as RCE via the attacker convincing a user to open a malicious file. Although the context of code execution isn’t stated in the advisory, exploitation is local to the user, and could lead to a total loss of confidentiality, integrity, and availability, including downtime for the affected environment.

Azure Kubernetes Service Confidential Containers: confidentiality impact

Azure Kubernetes admins should take note of CVE-2024-21400, which allows an unauthenticated attacker to take over confidential guests and containers, with other outcomes including credential theft and resource impact beyond the scope managed by the Azure Kubernetes Service Confidential Containers (AKSCC). Microsoft describes AKSCC as providing a set of features and capabilities to further secure standard container workloads when working with sensitive data such as PII. The advisory describes additional steps for remediation beyond merely patching AKSCC, including upgrading to the latest version of the az confcom Azure CLI confidential computing extension and Kata Image.

Windows 11: compressed folder tampering

Defenders responsible for Windows 11 assets can protect assets against exploitation of CVE-2024-26185, which Microsoft describes as a compressed folder tampering vulnerability. The advisory is sparse on detail, so while we know that an attacker must convince the user to open a specially crafted file, it’s not clear what the outcome of successful exploitation might be. Since the only impact appears to be to integrity, it’s possible that an attacker could modify a compressed folder but not necessarily read from it. Microsoft expects that exploitation is more likely.

Windows Print Spooler: elevation to SYSTEM

Another site of “exploitation more likely” vulnerabilities this month: the Windows Print Spooler service. A local attacker who successfully exploits CVE-2024-21433 via winning a race condition could elevate themselves to SYSTEM privileges.

Exploitation in the wild: status updates

In the days following February 2024 Patch Tuesday, Microsoft announced several updates where the known exploited status of more than one vulnerability changed, as noted by Rapid7. It remains to be seen if those changes were exceptional or the start of a pattern.

Microsoft products lifecycle review

There are no significant changes to the lifecycle phase of Microsoft products this month.

Summary Charts

Patch Tuesday - March 2024
Windows Kernel: get the popcorn
Patch Tuesday - March 2024
A comparatively rare outing for Tampering, and a somewhat unusual second place for RCE.
Patch Tuesday - March 2024
Similar to last month: a significant round of WDAC patches, but this time current versions of Windows get a patch too.

Summary Tables

Apps vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-21411 Skype for Consumer Remote Code Execution Vulnerability No No 8.8
CVE-2024-26204 Outlook for Android Information Disclosure Vulnerability No No 7.5
CVE-2024-21390 Microsoft Authenticator Elevation of Privilege Vulnerability No No 7.1
CVE-2024-26201 Microsoft Intune Linux Agent Elevation of Privilege Vulnerability No No 6.6

Azure vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-21400 Microsoft Azure Kubernetes Service Confidential Container Elevation of Privilege Vulnerability No No 9
CVE-2024-21418 Software for Open Networking in the Cloud (SONiC) Elevation of Privilege Vulnerability No No 7.8
CVE-2024-21421 Azure SDK Spoofing Vulnerability No No 7.5
CVE-2024-26203 Azure Data Studio Elevation of Privilege Vulnerability No No 7.3

Azure System Center vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-21334 Open Management Infrastructure (OMI) Remote Code Execution Vulnerability No No 9.8
CVE-2024-21330 Open Management Infrastructure (OMI) Elevation of Privilege Vulnerability No No 7.8

Browser vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-26167 Microsoft Edge for Android Spoofing Vulnerability No No 4.3
CVE-2024-2176 Chromium: CVE-2024-2176 Use after free in FedCM No No N/A
CVE-2024-2174 Chromium: CVE-2024-2174 Inappropriate implementation in V8 No No N/A
CVE-2024-2173 Chromium: CVE-2024-2173 Out of bounds memory access in V8 No No N/A

Developer Tools vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-26165 Visual Studio Code Elevation of Privilege Vulnerability No No 8.8
CVE-2024-21392 .NET and Visual Studio Denial of Service Vulnerability No No 7.5

Developer Tools Windows vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-26190 Microsoft QUIC Denial of Service Vulnerability No No 7.5

ESU Windows vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-21441 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability No No 8.8
CVE-2024-21444 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability No No 8.8
CVE-2024-21450 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability No No 8.8
CVE-2024-26161 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability No No 8.8
CVE-2024-26166 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability No No 8.8
CVE-2024-21451 Microsoft ODBC Driver Remote Code Execution Vulnerability No No 8.8
CVE-2024-26159 Microsoft ODBC Driver Remote Code Execution Vulnerability No No 8.8
CVE-2024-21440 Microsoft ODBC Driver Remote Code Execution Vulnerability No No 8.8
CVE-2024-26162 Microsoft ODBC Driver Remote Code Execution Vulnerability No No 8.8
CVE-2024-21407 Windows Hyper-V Remote Code Execution Vulnerability No No 8.1
CVE-2024-26173 Windows Kernel Elevation of Privilege Vulnerability No No 7.8
CVE-2024-26176 Windows Kernel Elevation of Privilege Vulnerability No No 7.8
CVE-2024-26178 Windows Kernel Elevation of Privilege Vulnerability No No 7.8
CVE-2024-21436 Windows Installer Elevation of Privilege Vulnerability No No 7.8
CVE-2024-21437 Windows Graphics Component Elevation of Privilege Vulnerability No No 7.8
CVE-2024-26169 Windows Error Reporting Service Elevation of Privilege Vulnerability No No 7.8
CVE-2024-21446 NTFS Elevation of Privilege Vulnerability No No 7.8
CVE-2024-21427 Windows Kerberos Security Feature Bypass Vulnerability No No 7.5
CVE-2024-21432 Windows Update Stack Elevation of Privilege Vulnerability No No 7
CVE-2024-21439 Windows Telephony Server Elevation of Privilege Vulnerability No No 7
CVE-2024-21433 Windows Print Spooler Elevation of Privilege Vulnerability No No 7
CVE-2024-21429 Windows USB Hub Driver Remote Code Execution Vulnerability No No 6.8
CVE-2024-26197 Windows Standards-Based Storage Management Service Denial of Service Vulnerability No No 6.5
CVE-2024-21430 Windows USB Attached SCSI (UAS) Protocol Remote Code Execution Vulnerability No No 5.7
CVE-2024-26174 Windows Kernel Information Disclosure Vulnerability No No 5.5
CVE-2024-26177 Windows Kernel Information Disclosure Vulnerability No No 5.5
CVE-2024-26181 Windows Kernel Denial of Service Vulnerability No No 5.5
CVE-2023-28746 Intel: CVE-2023-28746 Register File Data Sampling (RFDS) No No N/A

Exchange Server vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-26198 Microsoft Exchange Server Remote Code Execution Vulnerability No No 8.8

Microsoft Dynamics vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-21419 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability No No 7.6

Microsoft Office vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-21426 Microsoft SharePoint Server Remote Code Execution Vulnerability No No 7.8
CVE-2024-26199 Microsoft Office Elevation of Privilege Vulnerability No No 7.8
CVE-2024-21448 Microsoft Teams for Android Information Disclosure Vulnerability No No 5

SQL Server vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-26164 Microsoft Django Backend for SQL Server Remote Code Execution Vulnerability No No 8.8

System Center vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-20671 Microsoft Defender Security Feature Bypass Vulnerability No No 5.5

Windows vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-21435 Windows OLE Remote Code Execution Vulnerability No No 8.8
CVE-2024-21442 Windows USB Print Driver Elevation of Privilege Vulnerability No No 7.8
CVE-2024-26182 Windows Kernel Elevation of Privilege Vulnerability No No 7.8
CVE-2024-26170 Windows Composite Image File System (CimFS) Elevation of Privilege Vulnerability No No 7.8
CVE-2024-21434 Microsoft Windows SCSI Class System File Elevation of Privilege Vulnerability No No 7.8
CVE-2024-21431 Hypervisor-Protected Code Integrity (HVCI) Security Feature Bypass Vulnerability No No 7.8
CVE-2024-21438 Microsoft AllJoyn API Denial of Service Vulnerability No No 7.5
CVE-2024-21443 Windows Kernel Elevation of Privilege Vulnerability No No 7.3
CVE-2024-21445 Windows USB Print Driver Elevation of Privilege Vulnerability No No 7
CVE-2024-26185 Windows Compressed Folder Tampering Vulnerability No No 6.5
CVE-2024-21408 Windows Hyper-V Denial of Service Vulnerability No No 5.5
CVE-2024-26160 Windows Cloud Files Mini Filter Driver Information Disclosure Vulnerability No No 5.5

High-Risk Vulnerabilities in ConnectWise ScreenConnect

Post Syndicated from Rapid7 original https://blog.rapid7.com/2024/02/20/etr-high-risk-vulnerabilities-in-connectwise-screenconnect/

High-Risk Vulnerabilities in ConnectWise ScreenConnect

On February 19, 2024 ConnectWise disclosed two vulnerabilities in their ScreenConnect remote access software. Both vulnerabilities affect ScreenConnect 23.9.7 and earlier. While neither vulnerability has a CVE assigned as of February 20, the two issues mentioned in ConnectWise’s advisory are:

  • An authentication bypass using an alternate path or channel (CVSS 10)
  • A path traversal issue (CVSS 8.4)

ScreenConnect is popular remote access software used by many organizations globally; it has also been abused by adversaries in the past. There appear to be some 7,500+ instances of ScreenConnect exposed to the public internet. The vulnerabilities are not known to be exploited in the wild as of February 20.

Security news media and security vendors are raising strong alarms about the ScreenConnect vulnerabilities, largely because of the potential for attackers to exploit vulnerable ScreenConnect instances to then push ransomware to downstream clients. This may be a particular concern for managed service providers (MSPs) or managed security services providers (MSSPs) who use ScreenConnect to remotely manage client environments.

Mitigation guidance

All versions of ConnectWise ScreenConnect before 23.9.8 are vulnerable to these (CVE-less) issues. Customers who have on-premise ScreenConnect instances in their environments should apply the 23.9.8 update immediately, per ConnectWise’s guidance.

Rapid7 customers

Our engineering team is researching new vulnerability checks for these issues. We hope to release vulnerability checks for InsightVM and Nexpose customers in tomorrow’s (February 21) content release. We will update this blog with further information and ETAs as our investigation continues.

InsightIDR and Managed Detection and Response customers have existing detection coverage through Rapid7’s expansive library of detection rules. Rapid7 recommends installing the Insight Agent on all applicable hosts to ensure visibility into suspicious processes and proper detection coverage. Below is a non-exhaustive list of detections that are deployed and will alert on post-exploitation behavior related to these vulnerabilities:

  • Attacker Technique – Remote Access Via ScreenConnect
  • Attacker Technique – Command Execution Via ScreenConnect
  • Suspicious Process – ScreenConnect with RunRole Argument

Patch Tuesday – February 2024

Post Syndicated from Adam Barnett original https://blog.rapid7.com/2024/02/13/patch-tuesday-february-2024/

Patch Tuesday - February 2024

Microsoft is addressing 73 vulnerabilities this February 2024 Patch Tuesday, including two zero-day/exploited-in-the-wild vulnerabilities, both of which are already included on the CISA KEV list. Today also brings patches for two critical remote code execution (RCE) vulnerabilities, and a critical elevation of privilege vulnerability in Exchange. Six browser vulnerabilities were published separately this month, and are not included in the total.

Windows SmartScreen: exploited-in-the-wild critical security bypass

CVE-2024-21351 describes a security feature bypass vulnerability in Windows SmartScreen. Microsoft has already seen evidence of exploitation in the wild. Successful exploitation requires that the attacker convince the user to open a malicious file. Successful exploitation bypasses the SmartScreen user experience and potentially allows code injection into SmartScreen to achieve remote code execution. Of interest: other critical SmartScreen bypass vulnerabilities from the past couple of years (e.g. CVE-2023-36025 from November 2023) have not included language describing code injection into SmartScreen itself, focusing instead on the security feature bypass only. Microsoft’s own researchers reported both CVE-2024-21351 and CVE-2023-36025.

Internet Shortcut files: exploited-in-the-wild security bypass

If further evidence were ever needed that clicking Internet Shortcut files from unknown sources is typically a bad idea, CVE-2024-21412 provides it. An attacker who convinces a user to open a malicious Internet Shortcut file can bypass the typical dialog which warns that “files from the internet can potentially harm your computer”. Microsoft notes that it has seen exploitation in the wild, although the requirement for user interaction helps keep the severity rating below critical, both for CVSS and Microsoft’s proprietary ranking system.

Microsoft Office: critical RCE

Microsoft Office typically shields users from a variety of attacks by opening files with Mark of the Web in Protected View, which means Office will render the document without fetching potentially malicious external resources. CVE-2024-21413 is a critical RCE vulnerability in Office which allows an attacker to cause a file to open in editing mode as though the user had agreed to trust the file. The Outlook Preview Pane is listed as an attack vector, and no user interaction is required. Microsoft assesses this vulnerability as a critical CVSSv3 base score of 9.8, as well as critical under their own proprietary severity ranking scale. Administrators responsible for Office 2016 installations who apply patches outside of Microsoft Update should note that the advisory lists no fewer than five separate patches which must be installed to achieve remediation of CVE-2024-21413; individual update KB articles further note that partially-patched Office installations will be blocked from starting until the correct combination of patches has been installed.

Windows PGM: critical RCE

Microsoft is patching CVE-2024-21357, a flaw in Windows Pragmatic General Multicast (PGM).  Although the CVSSv3 base score is a relatively mild 7.5 thanks to the high attack complexity and the same-subnet limitation of the attack, Microsoft rates this vulnerability as critical under its own proprietary severity scale. A discrepancy between the two severity ranking systems is always worth noting. A further clue that Microsoft considers this vulnerability particularly serious:  patches are available for Windows Server 2008, which is now completely end of life. The advisory is light on detail when it comes to exploitation methods; other recent critical RCE vulnerabilities in Windows PGM have involved Microsoft Message Queuing Service.

Exchange: critical elevation of privilege

Exchange admins may have enjoyed a rare two-month break from patching, but this month sees the publication of CVE-2024-21410, a critical elevation of privilege vulnerability in Exchange. Microsoft explains that an attacker could use NTLM credentials previously acquired via another means to act as the victim on the Exchange server using an NTLM relay attack. One possible avenue for that credential acquisition: an NTLM credential-leaking vulnerability in Outlook such as CVE-2023-36761, which Rapid7 wrote about back in September 2023. Compounding the concern for defenders: Exchange 2016 is listed as affected, but no patch is yet listed on the CVE-2024-21410 advisory. Exchange 2019 patches are available for CU13 and the newly minted CU14 series. According to Microsoft, Exchange installations where Extended Protection for Authentication (EPA) is already enabled are protected, although Microsoft strongly recommends installing the latest Cumulative Update. Further resources are provided on the advisory, including Microsoft’s generic guidance on mitigating Pass the Hash-style attacks, as well as Microsoft’s Exchange Server Health Checker script, which includes an overview of EPA status. The Exchange 2019 CU14 update series enables EPA by default.

Lifecycle update

There are no significant end-of-lifecycle changes for Microsoft products this month.

Summary Charts

Patch Tuesday - February 2024
A big month for fans of Windows Data Access Components vulnerabilities.
Patch Tuesday - February 2024
RCE patches dominate yet again.
Patch Tuesday - February 2024
Most of those WDAC patches are for ESU Windows versions only.

Summary Tables

Azure vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-21401 Microsoft Entra Jira Single-Sign-On Plugin Elevation of Privilege Vulnerability No No 9.8
CVE-2024-21364 Microsoft Azure Site Recovery Elevation of Privilege Vulnerability No No 9.3
CVE-2024-21376 Microsoft Azure Kubernetes Service Confidential Container Remote Code Execution Vulnerability No No 9
CVE-2024-21403 Microsoft Azure Kubernetes Service Confidential Container Elevation of Privilege Vulnerability No No 9
CVE-2024-21329 Azure Connected Machine Agent Elevation of Privilege Vulnerability No No 7.3
CVE-2024-21381 Microsoft Azure Active Directory B2C Spoofing Vulnerability No No 6.8
CVE-2024-20679 Azure Stack Hub Spoofing Vulnerability No No 6.5
CVE-2024-21397 Microsoft Azure File Sync Elevation of Privilege Vulnerability No No 5.3

Azure Developer Tools vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-20667 Azure DevOps Server Remote Code Execution Vulnerability No No 7.5

Browser vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-21399 Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability No No 8.3
CVE-2024-1284 Chromium: CVE-2024-1284 Use after free in Mojo No No N/A
CVE-2024-1283 Chromium: CVE-2024-1283 Heap buffer overflow in Skia No No N/A
CVE-2024-1077 Chromium: CVE-2024-1077 Use after free in Network No No N/A
CVE-2024-1060 Chromium: CVE-2024-1060 Use after free in Canvas No No N/A
CVE-2024-1059 Chromium: CVE-2024-1059 Use after free in WebRTC No No N/A

Developer Tools vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-21386 .NET Denial of Service Vulnerability No No 7.5
CVE-2024-21404 .NET Denial of Service Vulnerability No No 7.5

ESU Windows vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-21372 Windows OLE Remote Code Execution Vulnerability No No 8.8
CVE-2024-21350 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability No No 8.8
CVE-2024-21352 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability No No 8.8
CVE-2024-21358 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability No No 8.8
CVE-2024-21360 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability No No 8.8
CVE-2024-21361 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability No No 8.8
CVE-2024-21366 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability No No 8.8
CVE-2024-21369 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability No No 8.8
CVE-2024-21375 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability No No 8.8
CVE-2024-21420 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability No No 8.8
CVE-2024-21359 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability No No 8.8
CVE-2024-21365 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability No No 8.8
CVE-2024-21367 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability No No 8.8
CVE-2024-21368 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability No No 8.8
CVE-2024-21370 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability No No 8.8
CVE-2024-21391 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability No No 8.8
CVE-2024-21349 Microsoft ActiveX Data Objects Remote Code Execution Vulnerability No No 8.8
CVE-2024-21363 Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability No No 7.8
CVE-2024-21354 Microsoft Message Queuing (MSMQ) Elevation of Privilege Vulnerability No No 7.8
CVE-2024-21406 Windows Printing Service Spoofing Vulnerability No No 7.5
CVE-2024-21357 Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability No No 7.5
CVE-2024-21347 Microsoft ODBC Driver Remote Code Execution Vulnerability No No 7.5
CVE-2024-21348 Internet Connection Sharing (ICS) Denial of Service Vulnerability No No 7.5
CVE-2024-21377 Windows DNS Information Disclosure Vulnerability No No 7.1
CVE-2024-21371 Windows Kernel Elevation of Privilege Vulnerability No No 7
CVE-2024-21355 Microsoft Message Queuing (MSMQ) Elevation of Privilege Vulnerability No No 7
CVE-2024-21405 Microsoft Message Queuing (MSMQ) Elevation of Privilege Vulnerability No No 7
CVE-2024-21356 Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability No No 6.5
CVE-2024-21343 Windows Network Address Translation (NAT) Denial of Service Vulnerability No No 5.9
CVE-2024-21344 Windows Network Address Translation (NAT) Denial of Service Vulnerability No No 5.9
CVE-2024-21340 Windows Kernel Information Disclosure Vulnerability No No 4.6
CVE-2023-50387 MITRE: CVE-2023-50387 DNSSEC verification complexity can be exploited to exhaust CPU resources and stall DNS resolvers No No N/A

Exchange Server vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-21410 Microsoft Exchange Server Elevation of Privilege Vulnerability No No 9.8

Microsoft Dynamics vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-21395 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability No No 8.2
CVE-2024-21380 Microsoft Dynamics Business Central/NAV Information Disclosure Vulnerability No No 8
CVE-2024-21327 Microsoft Dynamics 365 Customer Engagement Cross-Site Scripting Vulnerability No No 7.6
CVE-2024-21389 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability No No 7.6
CVE-2024-21393 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability No No 7.6
CVE-2024-21396 Dynamics 365 Sales Spoofing Vulnerability No No 7.6
CVE-2024-21328 Dynamics 365 Sales Spoofing Vulnerability No No 7.6
CVE-2024-21394 Dynamics 365 Field Service Spoofing Vulnerability No No 7.6

Microsoft Office vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-21413 Microsoft Outlook Remote Code Execution Vulnerability No No 9.8
CVE-2024-21378 Microsoft Outlook Remote Code Execution Vulnerability No No 8
CVE-2024-21379 Microsoft Word Remote Code Execution Vulnerability No No 7.8
CVE-2024-20673 Microsoft Office Remote Code Execution Vulnerability No No 7.8
CVE-2024-21384 Microsoft Office OneNote Remote Code Execution Vulnerability No No 7.8
CVE-2024-21402 Microsoft Outlook Elevation of Privilege Vulnerability No No 7.1
CVE-2024-20695 Skype for Business Information Disclosure Vulnerability No No 5.7
CVE-2024-21374 Microsoft Teams for Android Information Disclosure No No 5

System Center vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-21315 Microsoft Defender for Endpoint Protection Elevation of Privilege Vulnerability No No 7.8

Windows vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-21345 Windows Kernel Elevation of Privilege Vulnerability No No 8.8
CVE-2024-21353 Microsoft WDAC ODBC Driver Remote Code Execution Vulnerability No No 8.8
CVE-2024-21412 Internet Shortcut Files Security Feature Bypass Vulnerability Yes No 8.1
CVE-2024-21338 Windows Kernel Elevation of Privilege Vulnerability No No 7.8
CVE-2024-21346 Win32k Elevation of Privilege Vulnerability No No 7.8
CVE-2024-21351 Windows SmartScreen Security Feature Bypass Vulnerability Yes No 7.6
CVE-2024-21342 Windows DNS Client Denial of Service Vulnerability No No 7.5
CVE-2024-21341 Windows Kernel Remote Code Execution Vulnerability No No 6.8
CVE-2024-20684 Windows Hyper-V Denial of Service Vulnerability No No 6.5
CVE-2024-21339 Windows USB Generic Parent Driver Remote Code Execution Vulnerability No No 6.4
CVE-2024-21362 Windows Kernel Security Feature Bypass Vulnerability No No 5.5
CVE-2024-21304 Trusted Compute Base Elevation of Privilege Vulnerability No No 4.1

Critical Fortinet FortiOS CVE-2024-21762 Exploited

Post Syndicated from Rapid7 original https://blog.rapid7.com/2024/02/12/etr-critical-fortinet-fortios-cve-2024-21762-exploited/

Critical Fortinet FortiOS CVE-2024-21762 Exploited

On February 8, 2024 Fortinet disclosed multiple critical vulnerabilities affecting FortiOS, the operating system that runs on Fortigate SSL VPNs. The critical vulnerabilities include CVE-2024-21762, an out-of-bounds write vulnerability in SSLVPNd that could allow remote unauthenticated attackers to execute arbitrary code or commands on Fortinet SSL VPNs via specially crafted HTTP requests.

According to Fortinet’s advisory for CVE-2024-21762, the vulnerability is “potentially being exploited in the wild.” The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2024-21762 to their Known Exploited Vulnerabilities (KEV) list as of February 9, 2024, confirming that exploitation has occurred.

Zero-day vulnerabilities in Fortinet SSL VPNs have a history of being targeted by state-sponsored and other highly motivated threat actors. Other recent Fortinet SSL VPN vulnerabilities (e.g., CVE-2022-42475, CVE-2022-41328, and CVE-2023-27997) have been exploited by adversaries as both zero-day and as n-day following public disclosure.

Affected products

FortiOS versions vulnerable to CVE-2024-21762 include:

  • FortiOS 7.4.0 through 7.4.2

  • FortiOS 7.2.0 through 7.2.6

  • FortiOS 7.0.0 through 7.0.13

  • FortiOS 6.4.0 through 6.4.14

  • FortiOS 6.2.0 through 6.2.15

  • FortiOS 6.0 all versions

  • FortiProxy 7.4.0 through 7.4.2

  • FortiProxy 7.2.0 through 7.2.8

  • FortiProxy 7.0.0 through 7.0.14

  • FortiProxy 2.0.0 through 2.0.13

  • FortiProxy 1.2 all versions

  • FortiProxy 1.1 all versions

  • FortiProxy 1.0 all versions

Note: Fortinet’s advisory did not originally list FortiProxy as being vulnerable to this issue, but the bulletin was updated after publication to add affected FortiProxy versions.

Mitigation guidance

According to the Fortinet advisory, the following fixed versions remediate CVE-2024-21762:

  • FortiOS 7.4.3 or above

  • FortiOS 7.2.7 or above

  • FortiOS 7.0.14 or above

  • FortiOS 6.4.15 or above

  • FortiOS 6.2.16 or above

  • FortiOS 6.0 customers should migrate to a fixed release

  • FortiProxy 7.4.3 or above

  • FortiProxy 7.2.9 or above

  • FortiProxy 7.0.15 or above

  • FortiProxy 2.0.14 or above

  • FortiProxy 1.2, 1.1, and 1.0 customers should migrate to a fixed release

As a workaround, the advisory instructs customers to disable the SSL VPN with the added context that disabling the webmode is not a valid workaround. For more information and the latest updates, please refer to Fortinet’s advisory.

Rapid7 customers

InsightVM and Nexpose customers can assess their exposure to FortiOS CVE-2024-21762 with a vulnerability check available in the Friday, February 9 content release.

Patch Tuesday – January 2024

Post Syndicated from Adam Barnett original https://blog.rapid7.com/2024/01/09/patch-tuesday-january-2024/

Patch Tuesday - January 2024

Microsoft is addressing 49 vulnerabilities this January 2024 Patch Tuesday, including a single critical remote code execution vulnerability. Four browser vulnerabilities were published separately this month, and are not included in the total. No zero-day vulnerabilities are published or patched today.

Hyper-V: critical remote code execution

CVE-2024-20700 describes a remote code execution vulnerability in the Windows Hyper-V hardware virtualization service. Microsoft ranks this vulnerability as critical under its own proprietary severity scale. However, the CVSS 3.1 base score of 7.5 equates only to high severity, reflecting the high attack complexity — attackers must win a race condition — and the requirement for the attack to be launched from the restricted network. The advisory is light on detail, so it isn’t clear exactly where the attacker must be located — the LAN on which the hypervisor resides, or a virtual network created and managed by the hypervisor — or in what context the remote code execution would occur. However, since Microsoft ranks the vulnerability as more severe than the CVSS score would suggest, defenders should assume that exploitation is possible from the same subnet as the hypervisor, and that code execution will occur in a SYSTEM context on the Hyper-V host.

FBX 3D models in Office: arbitrary code execution

A patch for Microsoft Office disables the ability to insert 3D models from FBX (Filmbox) files into Office documents to guard against exploitation of CVE-2024-20677, which Microsoft describes as an arbitrary code execution. Exploitation would involve an Office user interacting with a malicious FBX file, and could lead to information disclosure or downtime. Models already present in documents will continue to function as before, unless the “Link to File” option was chosen upon insertion. In a related blog post, Microsoft recommends avoiding FBX and instead making use of the GLB 3D file format from now on. The blog post also provides instructions on a registry modification which re-enables the ability to insert FBX files into Office documents, although Microsoft strongly recommends against this. Silver lining: the Preview Pane is not a vector for CVE-2024-20677. Both the Windows and Mac editions of Office are vulnerable until patched.

SharePoint: remote code execution

SharePoint admins should take note of CVE-2024-21318. Successful exploitation allows an attacker with existing Site Owner permissions to execute code in the context of the SharePoint Server. Many SharePoint RCE vulnerabilities require only Site Member privileges, so the requirement for Site Owner here does provide some small comfort, but the potential remains that CVE-2024-21318 could be abused either by a malicious insider or as part of an exploit chain. The advisory does mention that exploitation requires that an attacker must already be authenticated as “at least a Site Owner,” although it’s not clear what level of privilege above Site Owner is implicated here; a user with SharePoint Administrator or Microsoft 365 Global Administrator role could certainly assign themselves the Site Owner role.

Windows Kerberos: MitM security feature bypass

All current versions of Windows receive a patch for CVE-2024-20674, which describes a flaw in the Windows implementation of Kerberos. By establishing a machine-in-the-middle (MitM), an attacker could trick a client into thinking it is communicating directly with the Kerberos authentication server, and subsequently bypass authentication and impersonate the client user on the network. Although exploitation requires an existing foothold on the local network, both the CVSS 3.1 base score of 9.1 and Microsoft’s proprietary severity ranking of critical reflect that there is no requirement for user interaction or prior authentication. Microsoft also notes that it considers exploitation of this vulnerability more likely.

Exchange: no security patches two months in a row

Exchange admins bracing themselves for extra security patches this month after the lack of Exchange security patches last month are once again given a reprieve: there are no security patches for Exchange released today.

Microsoft products lifecycle update

A number of Microsoft products transition from mainstream support to extended support as of today: Exchange Server 2019, Hyper-V Server 2019, SharePoint Server 2019, Skype for Business 2019 (both client and server), as well as various facets of Windows 10: Enterprise LTSC 2019, IoT Core LTSC, IoT Enterprise LTSC 2019, IoT LTSC 2019 Core, Windows Server 2019, Windows Server IoT 2019, and Windows Server IoT 2019 for Storage. Also moving to extended support: Dynamics SL 2018 and Project Server 2019. During the extended support lifecycle phase, Microsoft continues to provide security updates, but does not typically release new features. Extended support is not available for Microsoft consumer products.

Today marks the end of the road for Microsoft Dynamics CRM 2013, which moves past the end of extended support. No ESU program is available, so admins must move to a newer version of Dynamics CRM to continue receiving security updates.

Summary Charts

Patch Tuesday - January 2024
Hyper-V always worth defender attention.
Patch Tuesday - January 2024
Remote Code Execution reclaims the top spot.
Patch Tuesday - January 2024
WIndows Message Queuing is now a perennial feature of Patch Tuesday.

Summary Tables

Azure vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-20676 Azure Storage Mover Remote Code Execution Vulnerability No No 8

Browser vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-0225 Chromium: CVE-2024-0225 Use after free in WebGPU No No N/A
CVE-2024-0224 Chromium: CVE-2024-0224 Use after free in WebAudio No No N/A
CVE-2024-0223 Chromium: CVE-2024-0223 Heap buffer overflow in ANGLE No No N/A
CVE-2024-0222 Chromium: CVE-2024-0222 Use after free in ANGLE No No N/A

Developer Tools vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-0057 NET, .NET Framework, and Visual Studio Security Feature Bypass Vulnerability No No 9.1
CVE-2024-20656 Visual Studio Elevation of Privilege Vulnerability No No 7.8
CVE-2024-21312 .NET Framework Denial of Service Vulnerability No No 7.5
CVE-2024-20672 .NET Core and Visual Studio Denial of Service Vulnerability No No 7.5

Developer Tools Azure vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-21319 Microsoft Identity Denial of service vulnerability No No 6.8

Developer Tools SQL Server vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-0056 Microsoft.Data.SqlClient and System.Data.SqlClient SQL Data Provider Security Feature Bypass Vulnerability No No 8.7

ESU Windows vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-20674 Windows Kerberos Security Feature Bypass Vulnerability No No 9
CVE-2024-20654 Microsoft ODBC Driver Remote Code Execution Vulnerability No No 8
CVE-2024-20682 Windows Cryptographic Services Remote Code Execution Vulnerability No No 7.8
CVE-2024-20683 Win32k Elevation of Privilege Vulnerability No No 7.8
CVE-2024-20658 Microsoft Virtual Hard Disk Elevation of Privilege Vulnerability No No 7.8
CVE-2024-20653 Microsoft Common Log File System Elevation of Privilege Vulnerability No No 7.8
CVE-2024-20652 Windows HTML Platforms Security Feature Bypass Vulnerability No No 7.5
CVE-2024-21307 Remote Desktop Client Remote Code Execution Vulnerability No No 7.5
CVE-2024-20661 Microsoft Message Queuing Denial of Service Vulnerability No No 7.5
CVE-2024-20657 Windows Group Policy Elevation of Privilege Vulnerability No No 7
CVE-2024-20655 Microsoft Online Certificate Status Protocol (OCSP) Remote Code Execution Vulnerability No No 6.6
CVE-2024-21320 Windows Themes Spoofing Vulnerability No No 6.5
CVE-2024-20680 Windows Message Queuing Client (MSMQC) Information Disclosure No No 6.5
CVE-2024-20663 Windows Message Queuing Client (MSMQC) Information Disclosure No No 6.5
CVE-2024-20660 Microsoft Message Queuing Information Disclosure Vulnerability No No 6.5
CVE-2024-20664 Microsoft Message Queuing Information Disclosure Vulnerability No No 6.5
CVE-2024-21314 Microsoft Message Queuing Information Disclosure Vulnerability No No 6.5
CVE-2024-20692 Microsoft Local Security Authority Subsystem Service Information Disclosure Vulnerability No No 5.7
CVE-2024-21311 Windows Cryptographic Services Information Disclosure Vulnerability No No 5.5
CVE-2024-21313 Windows TCP/IP Information Disclosure Vulnerability No No 5.3
CVE-2024-20662 Windows Online Certificate Status Protocol (OCSP) Information Disclosure Vulnerability No No 4.9
CVE-2024-20691 Windows Themes Information Disclosure Vulnerability No No 4.7

Microsoft Office vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-21318 Microsoft SharePoint Server Remote Code Execution Vulnerability No No 8.8
CVE-2024-20677 Microsoft Office Remote Code Execution Vulnerability No No 7.8

Windows vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-20681 Windows Subsystem for Linux Elevation of Privilege Vulnerability No No 7.8
CVE-2024-21309 Windows Kernel-Mode Driver Elevation of Privilege Vulnerability No No 7.8
CVE-2024-20698 Windows Kernel Elevation of Privilege Vulnerability No No 7.8
CVE-2024-21310 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability No No 7.8
CVE-2024-20686 Win32k Elevation of Privilege Vulnerability No No 7.8
CVE-2024-20700 Windows Hyper-V Remote Code Execution Vulnerability No No 7.5
CVE-2024-20687 Microsoft AllJoyn API Denial of Service Vulnerability No No 7.5
CVE-2024-20696 Windows Libarchive Remote Code Execution Vulnerability No No 7.3
CVE-2024-20697 Windows Libarchive Remote Code Execution Vulnerability No No 7.3
CVE-2024-20666 BitLocker Security Feature Bypass Vulnerability No No 6.6
CVE-2024-20690 Windows Nearby Sharing Spoofing Vulnerability No No 6.5
CVE-2024-21316 Windows Server Key Distribution Service Security Feature Bypass No No 6.1
CVE-2024-21306 Microsoft Bluetooth Driver Spoofing Vulnerability No No 5.7
CVE-2024-20699 Windows Hyper-V Denial of Service Vulnerability No No 5.5
CVE-2024-20694 Windows CoreMessaging Information Disclosure Vulnerability No No 5.5
CVE-2024-21305 Hypervisor-Protected Code Integrity (HVCI) Security Feature Bypass Vulnerability No No 4.4
CVE-2024-21325 Microsoft Printer Metadata Troubleshooter Tool Remote Code Execution Vulnerability No No N/A

Windows Mariner vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2022-35737 MITRE: CVE-2022-35737 SQLite allows an array-bounds overflow No No N/A

Mastering Industrial Cybersecurity: The Significance of Combining Vulnerability Management with Detection and Response

Post Syndicated from Rapid7 original https://blog.rapid7.com/2023/12/28/mastering-industrial-cybersecurity-the-significance-of-combining-vulnerability-management-with-detection-and-response/

Mastering Industrial Cybersecurity: The Significance of Combining Vulnerability Management with Detection and Response

Written by Elad Ben-Meir, CEO SCADAfence, a Honeywell company.

In today’s digital era, where industries are increasingly reliant on advanced technologies, safeguarding critical infrastructure against cyber threats has become paramount. The convergence of operational technology (OT) and information technology (IT) has ushered in new efficiencies but has also exposed vulnerabilities. This article explores the pivotal role of Vulnerability Management and Detection and Response (VM/DR) in the realm of Industrial Cybersecurity.

Introduction to Industrial Cybersecurity

In an interconnected world, the importance of cybersecurity cannot be overstated. In industrial settings, where the consequences of cyberattacks can extend beyond data breaches to impact physical safety and operational continuity, cybersecurity is a top priority. This article delves into the significance of VM/DR in fortifying industrial cybersecurity defenses.

Vulnerability Management and Detection and Response (VM/DR) in Industrial Context

VM/DR are not mere buzzwords, but a proactive strategy to combat the ever-evolving cyber threats facing industrial organizations and the small talent pool from which they hire. It entails continuous monitoring, rapid threat detection, and efficient incident response while understanding the industrial processes these technologies control. In the context of industrial operations, VM/DR takes on added significance as it safeguards critical processes from disruption.

The Core Components of Industrial VM/DR

A successful VM/DR program in an industrial setting comprises several key components:

  • Real-time threat monitoring: This involves continuous surveillance of network traffic and system activities to detect anomalies and potential threats.
  • Incident detection and analysis: Rapid identification and thorough analysis of security incidents are crucial for timely response and mitigation.
  • Incident response and remediation: An effective response strategy is vital to minimize the impact of cyber incidents and promptly restore normal operations.

These components work in tandem to provide a comprehensive security shield against industrial cyber threats.

Utilizing SCADAfence’s real-time passive threat monitoring alongside Rapid7’s InsightVM and InsightIDR products allows for industrial–focused threats to be detected, analyzed, responded to, and remediated in a timely manner.

Industrial-Specific Threats and Vulnerabilities

In the industrial landscape, cyber threats go beyond traditional IT concerns. Attack vectors extend to Industrial Control Systems (ICS), which govern critical processes. Vulnerabilities unique to OT systems, such as legacy equipment and proprietary protocols, pose additional challenges. Understanding these threats is essential for effective protection.

The Landscape of Industrial Threats and Vulnerabilities

Industrial systems are the backbone of modern society, controlling everything from power grids to manufacturing processes. With connectivity becoming ubiquitous, these systems have become prime targets for malicious actors.

Reference: According to a report by IBM X-Force, attacks on industrial systems increased by over 2000% in 2020, highlighting the growing threat landscape in the industrial sector.

Legacy Systems and Proprietary Protocols

Many industrial environments still rely on legacy systems that were not designed with modern cybersecurity in mind. These aging systems often run on proprietary protocols, making them vulnerable to exploitation.

Reference: The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has noted an increase in vulnerabilities related to legacy systems and proprietary protocols in their annual reports.

Human Error and Insider Threats

Human error remains a significant factor in industrial incidents. Insider threats, whether intentional or unintentional, can have catastrophic consequences in industrial settings.

Reference: A study by Ponemon Institute found that 57% of industrial organizations surveyed had experienced at least one insider threat incident in the past year.

Supply Chain Vulnerabilities

Industrial systems rely on a complex network of suppliers and vendors. Weak links in the supply chain can introduce vulnerabilities that adversaries could exploit.

Reference: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued alerts about supply chain vulnerabilities in industrial control systems.

IoT and Edge Devices

The proliferation of Internet of Things (IoT) devices and edge computing has expanded the attack surface in industrial environments. These devices are often inadequately secured.

Reference: A report from Kaspersky highlights a 46% increase in attacks on IoT devices in the first half of 2020, with many incidents affecting industrial sectors.

Ransomware Targeting Critical Infrastructure

Ransomware attacks have evolved to target critical infrastructure, disrupting essential services and demanding hefty ransoms.

Reference: The Colonial Pipeline ransomware attack in May 2021 brought widespread attention to the threat of ransomware against critical infrastructure.

Integration with Existing Workflows/Playbooks

VM/DR is not a standalone solution but a complement to existing industrial workflows and/or playbooks. It bridges the gap between IT and OT, breaking down silos that often hinder effective cybersecurity. By integrating VM/DR seamlessly into existing processes, organizations can enhance their ability to promptly respond to threats. Having detailed playbooks with key operational Points of Contact (POC) helps to reduce dead time when dealing with a business and process interruption inside of an industrial process.

Implementing response and action plans within the current organization’s workflows helps analysts better communicate in the operational verbiage and expedites remediations directly in the field. This alleviates IT’s need for Confidentiality, Integrity, and Availability (CIA) and supports OT’s requirements for Availability, Integrity, Confidentiality (AIC).

Measuring Success with Key Performance Indicators (KPIs)

Success in industrial VM/DR can be quantified through various KPIs:

  • Time to detect (TTD): The speed at which threats are identified
  • Time to Respond (TTR): The efficiency of incident response
  • Incident Resolution Rate: The effectiveness of mitigation efforts

These KPIs provide a tangible measure of an organization’s cybersecurity resilience.

Collaboration between IT and OT

The collaboration between IT and OT teams is pivotal in industrial cybersecurity. VM/DR serves as a unifying force, facilitating communication and coordination between these traditionally separate domains. This collaboration is vital for the timely identification and mitigation of threats.

Compliance and Regulatory Considerations

Industrial organizations are subject to various cybersecurity regulations and standards such as the North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP). NERC CIP regulatory compliance is a set of mandatory cybersecurity standards and requirements designed to safeguard the North American power grid’s critical infrastructure.

These regulations are a response to the increasing cybersecurity threats faced by the energy sector. NERC CIP compliance mandates that electric utilities and power generation companies establish and maintain robust cybersecurity programs, including measures such as access controls, incident response planning, and regular security assessments. The primary goal of NERC CIP is to ensure the reliable operation of the electric grid while minimizing vulnerabilities to cyberattacks, thus safeguarding the continuous supply of electricity to homes, businesses, and critical infrastructure across North America. Compliance with NERC CIP is essential to maintain the security and resilience of the energy sector in the face of evolving cybersecurity threats.

Implementing a compliance governance portal is a strategic move for organizations seeking to streamline and centralize their compliance management efforts. Such a portal serves as a centralized platform where compliance policies, procedures, and documentation can be efficiently stored, accessed, and monitored. It facilitates real-time tracking of compliance activities, automates workflow processes, and provides a comprehensive view of the organization’s adherence to regulatory requirements.

This not only enhances transparency and accountability but also simplifies reporting and auditing. The implementation of a compliance governance portal empowers organizations to proactively manage risk, ensure regulatory adherence, and respond swiftly to compliance-related challenges, ultimately fostering a culture of compliance throughout the organization. VM/DR plays a crucial role in helping organizations meet compliance requirements, providing assurance to regulators and stakeholders.

Securing the Future

In the face of relentless cyber threats, mastering industrial cybersecurity is not a luxury – it’s a necessity. VM/DR is the linchpin that empowers organizations to fortify their defenses, protect critical infrastructure, and ensure operational continuity in an increasingly digital world.

As digital transformation continues, industrial VM/DR represents a proactive, adaptive, and collaborative approach to safeguarding the backbone of our society. It’s time for industrial organizations to embrace VM/DR and secure their future.

Patch Tuesday – December 2023

Post Syndicated from Adam Barnett original https://blog.rapid7.com/2023/12/12/patch-tuesday-december-2023/

Patch Tuesday - December 2023

Microsoft is addressing 34 vulnerabilities this December Patch Tuesday, including a single zero-day vulnerability and three critical remote code execution (RCE) vulnerabilities. December Patch Tuesday has historically seen fewer patches than a typical month, and this trend continues in 2023. This total does not include eight browser vulnerabilities published earlier this month. At time of writing, none of the vulnerabilities patched today are yet added to the CISA KEV list.

Certain AMD processors: zero-day information disclosure

This month’s lone zero-day vulnerability is CVE-2023-20588, which describes a potential information disclosure due to a flaw in certain AMD processor models as listed on the AMD advisory. AMD states that a divide-by-zero on these processor models could potentially return speculative data. AMD believes the potential impact of the vulnerability is low since local access is required; however, Microsoft ranks severity as important under its own proprietary severity scale. The vulnerability is patched at the OS level in all supported versions of Windows, even as far back as Windows Server 2008 for Azure-hosted assets participating in the Extended Security Update (ESU) program.

Outlook: no-interaction critical RCE

CVE-2023-35628 describes a critical RCE vulnerability in the MSHTML proprietary browser engine still used by Outlook, among others, to render HTML content. Of particular note: the most concerning exploitation scenario leads to exploitation as soon as Outlook retrieves and processes the specially crafted malicious email. This means that exploitation could occur before the user interacts with the email in any way; not even the Preview Pane is required in this scenario. Other attack vectors exist: the user could also click a malicious link received via email, instant message, or other medium. Assets where Internet Explorer 11 has been fully disabled are still vulnerable until patched; the MSHTML engine remains installed within Windows regardless of the status of IE11.

Internet Connection Sharing: critical RCE

This month also brings patches for a pair of critical RCE vulnerabilities in Internet Connection Sharing. CVE-2023-35630 and CVE-2023-35641 share a number of similarities: a base CVSS v3.1 score of 8.8, Microsoft critical severity ranking, low attack complexity, and presumably execution in SYSTEM context on the target machine, although the advisories do not specify execution context. Description of the exploitation method does differ between the two, however. CVE-2023-35630 requires the attacker to modify an option->length field in a DHCPv6 DHCPV6_MESSAGE_INFORMATION_REQUEST input message. Exploitation of CVE-2023-35641 is also via a maliciously crafted DHCP message to an ICS server, but the advisory gives no further clues. A broadly similar ICS vulnerability in September 2023 led to RCE in a SYSTEM context on the ICS server. In all three cases, a mitigating factor is the requirement for the attack to be launched from the same network segment as the ICS server. It seems improbable that either of this month’s ICS vulnerabilities are exploitable against a target on which ICS is not running, although Microsoft does not explicitly deny the possibility.

Holiday season update

Notable by their absence this month: no security patches for Exchange, SharePoint, Visual Studio/.NET, or SQL Server. There are also no lifecycle transitions for Microsoft products this month, although a number of Windows Server 2019 editions and Office components will transition out of mainstream support and into extended support from January 2024.

Summary Charts

Patch Tuesday - December 2023
Sharing is caring, unless it’s exploitative.
Patch Tuesday - December 2023
A rare occurence: Remote Code Execution not in the top spot.
Patch Tuesday - December 2023
Fewer vulns this month overall means less variation in the heatmap.

Summary Tables

Azure vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-35624 Azure Connected Machine Agent Elevation of Privilege Vulnerability No No 7.3
CVE-2023-35625 Azure Machine Learning Compute Instance for SDK Users Information Disclosure Vulnerability No No 4.7

Browser vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-35618 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability No No 9.6
CVE-2023-36880 Microsoft Edge (Chromium-based) Information Disclosure Vulnerability No No 4.8
CVE-2023-38174 Microsoft Edge (Chromium-based) Information Disclosure Vulnerability No No 4.3
CVE-2023-6512 Chromium: CVE-2023-6512 Inappropriate implementation in Web Browser UI No No N/A
CVE-2023-6511 Chromium: CVE-2023-6511 Inappropriate implementation in Autofill No No N/A
CVE-2023-6510 Chromium: CVE-2023-6510 Use after free in Media Capture No No N/A
CVE-2023-6509 Chromium: CVE-2023-6509 Use after free in Side Panel Search No No N/A
CVE-2023-6508 Chromium: CVE-2023-6508 Use after free in Media Stream No No N/A

ESU Windows vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-36006 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability No No 8.8
CVE-2023-35639 Microsoft ODBC Driver Remote Code Execution Vulnerability No No 8.8
CVE-2023-35641 Internet Connection Sharing (ICS) Remote Code Execution Vulnerability No No 8.8
CVE-2023-35630 Internet Connection Sharing (ICS) Remote Code Execution Vulnerability No No 8.8
CVE-2023-35628 Windows MSHTML Platform Remote Code Execution Vulnerability No No 8.1
CVE-2023-21740 Windows Media Remote Code Execution Vulnerability No No 7.8
CVE-2023-35633 Windows Kernel Elevation of Privilege Vulnerability No No 7.8
CVE-2023-35632 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability No No 7.8
CVE-2023-36011 Win32k Elevation of Privilege Vulnerability No No 7.8
CVE-2023-36005 Windows Telephony Server Elevation of Privilege Vulnerability No No 7.5
CVE-2023-36004 Windows DPAPI (Data Protection Application Programming Interface) Spoofing Vulnerability No No 7.5
CVE-2023-35622 Windows DNS Spoofing Vulnerability No No 7.5
CVE-2023-35643 DHCP Server Service Information Disclosure Vulnerability No No 7.5
CVE-2023-35638 DHCP Server Service Denial of Service Vulnerability No No 7.5
CVE-2023-35629 Microsoft USBHUB 3.0 Device Driver Remote Code Execution Vulnerability No No 6.8
CVE-2023-35642 Internet Connection Sharing (ICS) Denial of Service Vulnerability No No 6.5
CVE-2023-36012 DHCP Server Service Information Disclosure Vulnerability No No 5.3
CVE-2023-20588 AMD: CVE-2023-20588 AMD Speculative Leaks Security Notice No Yes N/A

Microsoft Dynamics vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-36020 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability No No 7.6
CVE-2023-35621 Microsoft Dynamics 365 Finance and Operations Denial of Service Vulnerability No No 7.5

Microsoft Dynamics Azure vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-36019 Microsoft Power Platform Connector Spoofing Vulnerability No No 9.6

Microsoft Office vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-35636 Microsoft Outlook Information Disclosure Vulnerability No No 6.5
CVE-2023-36009 Microsoft Word Information Disclosure Vulnerability No No 5.5
CVE-2023-35619 Microsoft Outlook for Mac Spoofing Vulnerability No No 5.3

System Center vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-36010 Microsoft Defender Denial of Service Vulnerability No No 7.5

Windows vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-35634 Windows Bluetooth Driver Remote Code Execution Vulnerability No No 8
CVE-2023-35644 Windows Sysmain Service Elevation of Privilege No No 7.8
CVE-2023-36696 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability No No 7.8
CVE-2023-35631 Win32k Elevation of Privilege Vulnerability No No 7.8
CVE-2023-36391 Local Security Authority Subsystem Service Elevation of Privilege Vulnerability No No 7.8
CVE-2023-36003 XAML Diagnostics Elevation of Privilege Vulnerability No No 6.7
CVE-2023-35635 Windows Kernel Denial of Service Vulnerability No No 5.5

Patch Tuesday – November 2023

Post Syndicated from Adam Barnett original https://blog.rapid7.com/2023/11/14/patch-tuesday-november-2023/

Patch Tuesday - November 2023

Microsoft is addressing 64 vulnerabilities this November Patch Tuesday, including five zero-day vulnerabilities as well as one critical remote code execution (RCE) vulnerability. Overall, this month sees significantly fewer vulnerabilities addressed across a smaller number of products than has been typical of Patch Tuesday over the past year or two. Browser vulnerabilities account for 20 of the 64 vulnerabilities patched, and 14 of those are republished third-party vulnerabilities in Chromium.

Three vulnerabilities patched today are already present on the CISA Known Exploited Vulnerabilities (KEV) list: CVE-2023-36025, CVE-2023-36033, and CVE-2023-36036.

Windows SmartScreen: zero-day bypass

CVE-2023-36025 describes a Windows SmartScreen security feature bypass. An attacker who convinces a user to open a specially crafted malicious Internet Shortcut file could bypass the anti-phishing and anti-malware protection provided by Windows SmartScreen. This could be abused as an early stage in a more complex attack chain.

Windows DWM: zero-day EoP

Originally introduced in Windows Vista, the Windows Dynamic Window Manager (DWM) enables many of the modern UI features which users have come to expect from a Windows OS. This month, the DWM Core Library receives a patch for CVE-2023-36033, an elevation of privilege (EoP) vulnerability which Microsoft notes is both publicly disclosed and exploited in the wild. Exploitation leads to SYSTEM privileges, but Microsoft does not provide any further guidance on the attack mechanism.

Windows Cloud Files mini driver: zero-day EoP

Microsoft is patching CVE-2023-36036, an EoP vulnerability in the Windows Cloud Files Mini Filter Driver. No details of the attack mechanism are provided in the advisory, but exploitation leads to SYSTEM privileges.

Office Protected View: zero-day bypass

CVE-2023-36413 describes a publicly disclosed Microsoft Office security feature bypass. A user who opens a specially crafted malicious file would find themselves in Editing mode, rather than Protected View, and would thus lose out on warning banners and other defenses designed to detect and quarantine malicious code in Office documents.

ASP.NET Core: zero-day DoS

CVE-2023-36038 describes an ASP.NET Core denial of service (DoS) attack, which affects only .NET 8 RC 1 running on the IIS InProcess hosting model. The mechanism of the attack is resource exhaustion on the web server via cancellation of requests; this sounds very similar to last month’s CVE-2023-44487, dubbed “Rapid Reset”. However, there’s no mention of HTTP/2 in the advisory for CVE-2023-36038.

Fewer critical vulns this month

Only three vulnerabilities patched this month qualify as Critical under Microsoft’s proprietary severity ranking scale: one each in Windows Pragmatic General Multicast (PGM), the Azure CLI, and Windows HMAC Key Derivation.

Windows PGM: critical RCE via MSMQ

CVE-2023-36397 describes an RCE vulnerability in Windows PGM. As with other similar previous vulnerabilities, an attacker can send a specially-crafted file over the network to attempt malicious code execution on the target asset. Only systems where Windows Message Queueing Service (MSMQ) is enabled are exploitable, and it isn’t added to a default Windows installation. However, as Rapid7 has noted previously, administrators should be aware that a number of applications — including Microsoft Exchange — quietly introduce MSMQ as part of their own installation routine.

Hyper-V: critical VM escape

Attackers looking to escape from a low privilege Hyper-V guest OS and execute code as SYSTEM on the Hyper-V host system will take note of CVE-2023-36400. Successful exploitation requires running a specially crafted application in the context of the guest OS to exploit a weakness in Windows HMAC Key Derivation, so some prior access is required.

Azure CLI: critical credential leak via log files

The Azure CLI tool prior to version 2.53.1 does not sufficiently redact information published to log files in certain contexts, allowing recovery of plaintext(!) usernames and passwords. The advisory for CVE-2023-36052 notes that log files stored in open-source repositories are a potential avenue for credential leaks in this context. Although Microsoft understandably hasn’t provided any specific examples, it’s unlikely that they would mention this if they weren’t aware of one or more real world examples.

Exchange: RCE, spoofing, and ZDI disclosures

Patch Tuesday typically sees at least one Exchange remote code execution vulnerability fixed, and this month is no exception. Exploitation of CVE-2023-36439 requires that the attacker have valid credentials for an Exchange user, and be present on the local network, but grants execution as NT AUTHORITY\SYSTEM on Exchange server host; this is a built-in account with extensive privileges, including the ability to act as the computer on the network.

A trio of Exchange server spoofing vulnerabilities — CVE-2023-36035 CVE-2023-36039 and CVE-2023-36050 — are also patched today. Successful exploitation requires that an attacker be present on the local network with valid Exchange credentials, but can lead to exposure of credentials or an NTLM hash for other users. Two of these vulnerabilities are exploited via PowerShell remoting.

Somewhat conspicuous by their absence: four flaws in Exchange published by Trend Micro’s Zero Day Initiative (ZDI) on 2023-11-02 do not appear to have received patches today. Microsoft had previously told ZDI that these vulnerabilities did not require immediate servicing. Since Microsoft is the CVE Numbering Authority (CNA) for its own products, there are no publicly available CVE numbers for these vulnerabilities yet.

cURL: patch for much-anticipated vuln

Microsoft admins who have been waiting for a patch for last month’s cURL SOCKS5 vulnerability CVE-2023-38545 will be pleased to see that Microsoft has included curl.exe 8.4.0 as part of the November updates for current versions of Windows. Many observers ultimately concluded that this vulnerability was perhaps of more limited scope and attacker value than the pre-publication buzz may have suggested, but a patch is always appreciated.

Is it 23H2 already?

A new arrival: Windows 11 23H2 was released on 2023-10-31 across all editions, and receives its first patches today.

Summary Charts

Patch Tuesday - November 2023
All those Edge vulns make the Exchange bar look smaller.
Patch Tuesday - November 2023
A big month for Elevation of Privilege!
Patch Tuesday - November 2023
Very few Critical vulns this month, but more Moderate than we often see.
Patch Tuesday - November 2023
A cluster of Microsoft Dynamics spoofing and XSS vulns.

Summary Tables

Azure vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-38151 Microsoft Host Integration Server 2020 Remote Code Execution Vulnerability No No 8.8
CVE-2023-36437 Azure DevOps Server Remote Code Execution Vulnerability No No 8.8
CVE-2023-36052 Azure CLI REST Command Information Disclosure Vulnerability No No 8.6
CVE-2023-36021 Microsoft On-Prem Data Gateway Security Feature Bypass Vulnerability No No 8

Browser vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-36034 Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability No No 7.3
CVE-2023-36014 Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability No No 7.3
CVE-2023-36024 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability No No 7.1
CVE-2023-36027 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability No No 7.1
CVE-2023-36022 Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability No No 6.6
CVE-2023-36029 Microsoft Edge (Chromium-based) Spoofing Vulnerability No No 4.3
CVE-2023-5996 Chromium: CVE-2023-5996 Use after free in WebAudio No No N/A
CVE-2023-5859 Chromium: CVE-2023-5859 Incorrect security UI in Picture In Picture No No N/A
CVE-2023-5858 Chromium: CVE-2023-5858 Inappropriate implementation in WebApp Provider No No N/A
CVE-2023-5857 Chromium: CVE-2023-5857 Inappropriate implementation in Downloads No No N/A
CVE-2023-5856 Chromium: CVE-2023-5856 Use after free in Side Panel No No N/A
CVE-2023-5855 Chromium: CVE-2023-5855 Use after free in Reading Mode No No N/A
CVE-2023-5854 Chromium: CVE-2023-5854 Use after free in Profiles No No N/A
CVE-2023-5853 Chromium: CVE-2023-5853 Incorrect security UI in Downloads No No N/A
CVE-2023-5852 Chromium: CVE-2023-5852 Use after free in Printing No No N/A
CVE-2023-5851 Chromium: CVE-2023-5851 Inappropriate implementation in Downloads No No N/A
CVE-2023-5850 Chromium: CVE-2023-5850 Incorrect security UI in Downloads No No N/A
CVE-2023-5849 Chromium: CVE-2023-5849 Integer overflow in USB No No N/A
CVE-2023-5482 Chromium: CVE-2023-5482 Insufficient data validation in USB No No N/A
CVE-2023-5480 Chromium: CVE-2023-5480 Inappropriate implementation in Payments No No N/A

Developer Tools vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-36560 ASP.NET Security Feature Bypass Vulnerability No No 8.8
CVE-2023-36038 ASP.NET Core Denial of Service Vulnerability No Yes 8.2
CVE-2023-36018 Visual Studio Code Jupyter Extension Spoofing Vulnerability No No 7.8
CVE-2023-36049 .NET, .NET Framework, and Visual Studio Elevation of Privilege Vulnerability No No 7.6
CVE-2023-36042 Visual Studio Denial of Service Vulnerability No No 6.2
CVE-2023-36558 ASP.NET Core – Security Feature Bypass Vulnerability No No 6.2

ESU Windows vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-36397 Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability No No 9.8
CVE-2023-36025 Windows SmartScreen Security Feature Bypass Vulnerability Yes No 8.8
CVE-2023-36017 Windows Scripting Engine Memory Corruption Vulnerability No No 8.8
CVE-2023-36402 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability No No 8.8
CVE-2023-36719 Microsoft Speech Application Programming Interface (SAPI) Elevation of Privilege Vulnerability No No 8.4
CVE-2023-36425 Windows Distributed File System (DFS) Remote Code Execution Vulnerability No No 8
CVE-2023-36393 Windows User Interface Application Core Remote Code Execution Vulnerability No No 7.8
CVE-2023-36705 Windows Installer Elevation of Privilege Vulnerability No No 7.8
CVE-2023-36424 Windows Common Log File System Driver Elevation of Privilege Vulnerability No No 7.8
CVE-2023-36036 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability Yes No 7.8
CVE-2023-36395 Windows Deployment Services Denial of Service Vulnerability No No 7.5
CVE-2023-36392 DHCP Server Service Denial of Service Vulnerability No No 7.5
CVE-2023-36423 Microsoft Remote Registry Service Remote Code Execution Vulnerability No No 7.2
CVE-2023-36401 Microsoft Remote Registry Service Remote Code Execution Vulnerability No No 7.2
CVE-2023-36403 Windows Kernel Elevation of Privilege Vulnerability No No 7
CVE-2023-36398 Windows NTFS Information Disclosure Vulnerability No No 6.5
CVE-2023-36428 Microsoft Local Security Authority Subsystem Service Information Disclosure Vulnerability No No 5.5

Exchange Server vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-36050 Microsoft Exchange Server Spoofing Vulnerability No No 8
CVE-2023-36039 Microsoft Exchange Server Spoofing Vulnerability No No 8
CVE-2023-36035 Microsoft Exchange Server Spoofing Vulnerability No No 8
CVE-2023-36439 Microsoft Exchange Server Remote Code Execution Vulnerability No No 8

Microsoft Dynamics vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-36007 Microsoft Send Customer Voice survey from Dynamics 365 Spoofing Vulnerability No No 7.6
CVE-2023-36410 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability No No 7.6
CVE-2023-36031 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability No No 7.6
CVE-2023-36016 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability No No 6.2
CVE-2023-36030 Microsoft Dynamics 365 Sales Spoofing Vulnerability No No 6.1

Microsoft Office vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-36045 Microsoft Office Graphics Remote Code Execution Vulnerability No No 7.8
CVE-2023-36037 Microsoft Excel Security Feature Bypass Vulnerability No No 7.8
CVE-2023-36041 Microsoft Excel Remote Code Execution Vulnerability No No 7.8
CVE-2023-36413 Microsoft Office Security Feature Bypass Vulnerability No Yes 6.5
CVE-2023-38177 Microsoft SharePoint Server Remote Code Execution Vulnerability No No 6.1

System Center vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-36422 Microsoft Windows Defender Elevation of Privilege Vulnerability No No 7.8
CVE-2023-36043 Open Management Infrastructure Information Disclosure Vulnerability No No 6.5

Windows vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-36028 Microsoft Protected Extensible Authentication Protocol (PEAP) Remote Code Execution Vulnerability No No 9.8
CVE-2023-36400 Windows HMAC Key Derivation Elevation of Privilege Vulnerability No No 8.8
CVE-2023-36408 Windows Hyper-V Elevation of Privilege Vulnerability No No 7.8
CVE-2023-36407 Windows Hyper-V Elevation of Privilege Vulnerability No No 7.8
CVE-2023-36033 Windows DWM Core Library Elevation of Privilege Vulnerability Yes Yes 7.8
CVE-2023-36396 Windows Compressed Folder Remote Code Execution Vulnerability No No 7.8
CVE-2023-36047 Windows Authentication Elevation of Privilege Vulnerability No No 7.8
CVE-2023-36399 Windows Storage Elevation of Privilege Vulnerability No No 7.1
CVE-2023-36046 Windows Authentication Denial of Service Vulnerability No No 7.1
CVE-2023-36394 Windows Search Service Elevation of Privilege Vulnerability No No 7
CVE-2023-36405 Windows Kernel Elevation of Privilege Vulnerability No No 7
CVE-2023-36427 Windows Hyper-V Elevation of Privilege Vulnerability No No 7
CVE-2023-36404 Windows Kernel Information Disclosure Vulnerability No No 5.5
CVE-2023-36406 Windows Hyper-V Information Disclosure Vulnerability No No 5.5
CVE-2023-24023 Mitre: CVE-2023-24023 Bluetooth Vulnerability No No N/A

Updates

  • 2023-11-14: Shortly after initial publication, some Microsoft advisory web pages were not listing any patches, although patches did exist. Microsoft appears to have remediated the issue with the advisory web pages. Removed a paragraph from the blog which mentioned this.

Setup of Discovery Connection Azure

Post Syndicated from Rapid7 original https://blog.rapid7.com/2023/11/08/setup-of-discovery-connection-azure/

Setup of Discovery Connection Azure

By: fuzzy borders

Are you having trouble trying to get your Azure assets into your InsightVM security console? In this blog post, we wanted to bring additional insight into leveraging the Azure Discovery Connection with InsightVM.

This blog post is brought to you by the Fuzzy Borders project, whose members come from different teams across Rapid7. Our goal is to find answers for requests that may fall into gray (fuzzy) areas. Our past work includes example API calls and SQL queries for InsightVM Security Consoles.

We hope this blog will help you get started with assessing your Azure virtual machines in InsightVM.

There are 3 main areas of configuration: Azure App Registration, IAM Subscription, and InsightVM Discovery Connection configuration.

Here is the overview of the steps:

Azure Configuration

  1. App Registration
  2. API Permissions
  3. Generate and Save the Secret Value
  4. IAM role permissions (Subscriptions Tab)
  5. Attach Reader role to App Registration

InsightVM Discovery Connection Configuration
Prerequisite: Allow outbound traffic to Azure from the InsightVM console server.

  1. Create a new site for Azure assets*
  2. Create Azure Discovery Connection
  3. Enter Azure Tenant ID, Application ID, Application Secret certificate Value

*The Azure Site should be dedicated to this discovery connection only.

Please keep note of the following items:

Application ID

Directory ID (a.k.a Tenant ID)

Value for the certificate Secret.

Configure Azure

We need to establish trust between Rapid7 and Azure. Click on “App registrations”

Setup of Discovery Connection Azure

Click: New registration

Setup of Discovery Connection Azure

Enter a display name for the application and click Register at the bottom. In this example we use “FuzzyDiscovery”

Setup of Discovery Connection Azure

We leave default values. Once you click Register it will return the Application ID, and Directory ID (a.k.a Tenant ID) that will be required in later steps.

Tip:
Either take a screenshot or copy and paste both the Application and Directory ID to a secure location to reference later.

Generate and Save the Secret Value

Click on Certificates & Secrets, click: Client Secrets, and add New Client Secret

Setup of Discovery Connection Azure

Important Note: We require the generated Secret Certificate Value, not the Secret ID.

Setup of Discovery Connection Azure

Configure API Permissions

Click on “Add a Permission” Search and Select: “Directory.Read.All”, and click Grant and Consent

Setup of Discovery Connection Azure

Setup of Discovery Connection Azure

Subscription Access

Click Home, and click Subscription, to set up our IAM role.

In the Subscriptions page, click Access Control (IAM), and click Add Role Assignment under “Grant access to this resource”

Setup of Discovery Connection Azure

Select the Reader role

Setup of Discovery Connection Azure

Enter the member created earlier. (Example: FuzzyDiscovery)

Setup of Discovery Connection Azure

Configure Console
Prerequisite: Allow outbound access to Azure https://docs.rapid7.com/nexpose/creating-and-managing-dynamic-discovery-connections/#preparing-insightvm

Create a dedicated new Site as a Destination for your Azure assets https://docs.rapid7.com/nexpose/creating-and-managing-dynamic-discovery-connections/#adding-a-microsoft-azure-connection

Create Azure Discovery Connection

Navigate to Administration – click: Discovery Connections

Setup of Discovery Connection Azure

From Azure App Registration fill out:

Tenant ID
Application ID

Application Security Certificate Value previously generated in Azure

Please note: In the case the secret was not saved previously, a new secret will have to be generated, and the previously generated secret can be revoked.

Troubleshooting Tips:

In the InsightVM console logs, review the eso.log for any errors and provide logs to support via a case.

Now available: Building a scalable vulnerability management program on AWS

Post Syndicated from Anna McAbee original https://aws.amazon.com/blogs/security/now-available-how-to-build-a-scalable-vulnerability-management-program-on-aws/

Vulnerability findings in a cloud environment can come from a variety of tools and scans depending on the underlying technology you’re using. Without processes in place to handle these findings, they can begin to mount, often leading to thousands to tens of thousands of findings in a short amount of time. We’re excited to announce the Building a scalable vulnerability management program on AWS guide, which includes how you can build a structured vulnerability management program, operationalize tooling, and scale your processes to handle a large number of findings from diverse sources.

Building a scalable vulnerability management program on AWS focuses on the fundamentals of building a cloud vulnerability management program, including traditional software and network vulnerabilities and cloud configuration risks. The guide covers how to build a successful and scalable vulnerability management program on AWS through preparation, enabling and configuring tools, triaging findings, and reporting.

Targeted outcomes

This guide can help you and your organization with the following:

  • Develop policies to streamline vulnerability management and maintain accountability.
  • Establish mechanisms to extend the responsibility of security to your application teams.
  • Configure relevant AWS services according to best practices for scalable vulnerability management.
  • Identify patterns for routing security findings to support a shared responsibility model.
  • Establish mechanisms to report on and iterate on your vulnerability management program.
  • Improve security finding visibility and help improve overall security posture.

Using the new guide

We encourage you to read the entire guide before taking action or building a list of changes to implement. After you read the guide, assess your current state compared to the action items and check off the items that you’ve already completed in the Next steps table. This will help you assess the current state of your AWS vulnerability management program. Then, plan short-term and long-term roadmaps based on your gaps, desired state, resources, and business needs. Building a cloud vulnerability management program often involves iteration, so you should prioritize key items and regularly revisit your backlog to keep up with technology changes and your business requirements.

Further information

For more information and to get started, see the Building a scalable vulnerability management program on AWS.

We greatly value feedback and contributions from our community. To share your thoughts and insights about the guide, your experience using it, and what you want to see in future versions, select Provide feedback at the bottom of any page in the guide and complete the form.

 
If you have feedback about this post, submit comments in the Comments section below. If you have questions about this post, contact AWS Support.

Want more AWS Security news? Follow us on Twitter.

Author

Anna McAbee

Anna is a Security Specialist Solutions Architect focused on threat detection and incident response at AWS. Before AWS, she worked as an AWS customer in financial services on both the offensive and defensive sides of security. Outside of work, Anna enjoys cheering on the Florida Gators football team, wine tasting, and traveling the world.

Author

Megan O’Neil

Megan is a Principal Security Specialist Solutions Architect focused on Threat Detection and Incident Response. Megan and her team enable AWS customers to implement sophisticated, scalable, and secure solutions that solve their business challenges. Outside of work, Megan loves to explore Colorado, including mountain biking, skiing, and hiking.

Patch Tuesday – October 2023

Post Syndicated from Adam Barnett original https://blog.rapid7.com/2023/10/10/patch-tuesday-october-2023/

Patch Tuesday - October 2023

Microsoft is addressing 105 vulnerabilities this October Patch Tuesday, including three zero-day vulnerabilities, as well as 12 critical remote code execution (RCE) vulnerabilities, and one republished third-party vulnerability.

WordPad: zero-day NTLM hash disclosure

Another Patch Tuesday, another zero-day vulnerability offering NTLM hash disclosure, this time in WordPad. The advisory for CVE-2023-36563 describes two possible attack vectors: 1) enticing the user to open a specially crafted malicious file delivered via email, IM, or some other means, or 2) by causing a custom application to run. The advisory doesn’t give much more detail, but the attacker would either need existing access to the system, or some means of exfiltrating the NTLM hash. It may or may not be a coincidence that Microsoft announced last month that WordPad is no longer being updated, and will be removed in a future version of Windows, although no specific timeline has yet been given. Unsurprisingly, Microsoft recommends Word as a replacement for WordPad.

Skype for Business server: zero-day info disclosure

Defenders responsible for a Skype for Business server should take note of an exploited-in-the-wild information disclosure vulnerability for which public exploit code exists. Successful exploitation of CVE-2023-41763 via a specially crafted network call could result in the disclosure of IP addresses and/or port numbers. Although Microsoft does not specify what the scope of the disclosure might be, it will presumably be limited to whatever the Skype for Business server can see; as always, appropriate network segmentation will pay defense-in-depth dividends.

ASP.NET Kestrel web server: zero-day denial of service

Rounding out this month’s trio of exploited-in-the-wild vulnerabilities, and perhaps of less concern: the cross-platform Kestrel web server for ASP.NET Core receives a fix for CVE-2023-44487, a denial of service vulnerability. In the advisory, Microsoft provides essentially no information about attack vector beyond the fact that the vulnerability is specific to HTTP/2 , but does suggest two potential workarounds:

  1. Disabling the HTTP/2 protocol via a Windows Registry modification; and/or
  2. Restricting protocols offered each Kestrel endpoint to exclude HTTP/2.

Microsoft advises timely patching regardless of whether or not one or more workarounds are applied.

N.B. In the advisory, a hyperlink attached to the word “workarounds” does not resolve to anything specific, and Kestrel is misspelled as “Kestral” more than once, although these issues will likely be resolved soon.

Layer 2 Tunneling Protocol: lots of critical RCEs

Twelve critical RCE vulnerabilities seems like a lot, and it is. Fully three-quarters of these are in the same Windows component — the Layer 2 Tunneling Protocol — which has already received fixes for a significant number of critical RCEs in recent months. Exploitation of each of the Layer 2 Tunneling Protocol critical RCEs this month — CVE-2023-41765 CVE-2023-41767 CVE-2023-41768 CVE-2023-41769 CVE-2023-41770 CVE-2023-41771 CVE-2023-41773 CVE-2023-41774 and CVE-2023-38166 — is via a specially crafted protocol message to a Routing and Remote Access Service (RRAS) server.

If there is a silver lining here, it’s that the acknowledgements for almost all of these vulnerabilities cite Microsoft’s Network Security and Containers (NSC) team; a reasonable inference is that Microsoft is directing significant resources towards security research and patching in this area. Since CVEs are typically assigned sequentially, and there are gaps in the sequence, another reasonable inference here is that other similar as-yet-unpublished vulnerabilities have probably been identified and reported to MSRC.

Windows MSMQ: critical RCEs

CVE-2023-35349 describes an RCE vulnerability in the Message Queueing Service. Microsoft does not describe the attack vector, but other similar vulnerabilities require that the attacker send specially crafted malicious MSMQ packet to a MSMQ server. One mitigating factor: the Microsoft Message Queueing Service must be enabled and listening on port 1801 for an asset to be vulnerable, and the Message Queueing Service is not installed by default. As Rapid7 has noted previously, however, a number of applications – including Microsoft Exchange – may quietly introduce MSMQ as part of their own installation routine.

Another MSMQ RCE vulnerability also receives a patch this month: CVE-2023-36697 has a lower CVSS score than its sibling, both because valid domain credentials are required, and because exploitation requires that a user on the target machine connects to a malicious server. Alternatively, Microsoft suggests that an attacker could compromise a legitimate MSMQ server host and make it run as a malicious server to exploit this vulnerability, although it’s not immediately clear how the attacker could do that without already having significant control over the MSMQ host.

Microsoft vTPM: container escape

The final constituent of this month’s dozen patched critical RCE vulnerabilities is rather more exotic: CVE-2023-36718 describes a vulnerability in the Microsoft Virtual Trusted Platform Module (vTPM), which is a TPM 2.0-compliant virtualized version of a hardware TPM offered as a feature of Azure confidential VMs. Successful exploitation could lead to a container escape. The attacker would first need to access the vulnerable VM, and the advisory notes that exploitation is possible when authenticated as a guest mode user. On the bright side, Microsoft evaluates attack complexity as High, since ​​successful exploitation of this vulnerability would rely upon complex memory shaping techniques to attempt an attack.

Exchange (as is tradition): RCE

Exchange administrators should note the existence of CVE-2023-36778, a same-network RCE vulnerability in all current versions of Exchange Server. Successful exploitation requires that the attacker be on the same network as the Exchange Server host, and use valid credentials for an Exchange user in a PowerShell remoting session. By default, PowerShell Remoting only allows connections from members of the Administrators group, and the relevant Windows Firewall rule for connections via public networks rejects connections from outside the same subnet. Defenders may wish to review these rules to ensure that they have not been loosened beyond the default.

Office: LPE

Microsoft Office receives a patch for CVE-2023-36569, a local privilege escalation (LPE) vulnerability. Successful exploitation could lead to SYSTEM privileges, but Microsoft states that the Preview Pane is not a vector. The advisory doesn’t provide much more information; patches are available for Office 2019, 2021, and Apps for Enterprise. Office 2016 is not listed, which might signify that it isn’t vulnerable, or could mean that patches will be provided later.

End of the line: 2012 edition

Today is the final Patch Tuesday for Windows Server 2012, and Windows Server 2012 R2. The only way to receive security updates for these versions of Windows from now on is to subscribe to Microsoft’s last-resort Extended Security Update (ESU) program. Windows 11 21H2 Home, Pro, Pro Education, Pro for Workstations, and SE also move past the end of support. No ESU program is available for Windows 11 client OS, so Windows 11 21H2 assets are insecure-by-default from now on. In all cases, both Microsoft and Rapid7 recommend upgrading to a newer version of Windows as soon as possible.

Summary Charts

Patch Tuesday - October 2023
That’s a long line of Message Queueing vulns.
Patch Tuesday - October 2023
Denial of Service up one place to third. RCE holds the top spot as usual.
Patch Tuesday - October 2023
As usual, no Low or Moderate criticality vulns. It’s not that they don’t exist or get reported, but like all vendors remediating security issues, Microsoft necessarily focuses on those with the highest severity.
Patch Tuesday - October 2023
A relatively long list of components this month, and lots of RCE.

Summary Table

Azure vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-36415 Azure Identity SDK Remote Code Execution Vulnerability No No 8.8
CVE-2023-36414 Azure Identity SDK Remote Code Execution Vulnerability No No 8.8
CVE-2023-36419 Azure HDInsight Apache Oozie Workflow Scheduler Elevation of Privilege Vulnerability No No 8.8
CVE-2023-36418 Azure RTOS GUIX Studio Remote Code Execution Vulnerability No No 7.8
CVE-2023-36737 Azure Network Watcher VM Agent Elevation of Privilege Vulnerability No No 7.8

Azure Developer Tools vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-36561 Azure DevOps Server Elevation of Privilege Vulnerability No No 7.3

Browser vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-5346 Chromium: CVE-2023-5346 Type Confusion in V8 No No N/A

ESU vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-36790 Windows RDP Encoder Mirror Driver Elevation of Privilege Vulnerability No No 7.8

Exchange Server vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-36778 Microsoft Exchange Server Remote Code Execution Vulnerability No No 8

Microsoft Dynamics vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-36433 Microsoft Dynamics 365 (On-Premises) Information Disclosure Vulnerability No No 6.5
CVE-2023-36429 Microsoft Dynamics 365 (On-Premises) Information Disclosure Vulnerability No No 6.5
CVE-2023-36566 Microsoft Common Data Model SDK Denial of Service Vulnerability No No 6.5
CVE-2023-36416 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability No No 6.1

Microsoft Office vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-36569 Microsoft Office Elevation of Privilege Vulnerability No No 8.4
CVE-2023-36789 Skype for Business Remote Code Execution Vulnerability No No 7.2
CVE-2023-36786 Skype for Business Remote Code Execution Vulnerability No No 7.2
CVE-2023-36780 Skype for Business Remote Code Execution Vulnerability No No 7.2
CVE-2023-36565 Microsoft Office Graphics Elevation of Privilege Vulnerability No No 7
CVE-2023-36568 Microsoft Office Click-To-Run Elevation of Privilege Vulnerability No No 7
CVE-2023-41763 Skype for Business Elevation of Privilege Vulnerability Yes Yes 5.3

SQL Server vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-36417 Microsoft SQL ODBC Driver Remote Code Execution Vulnerability No No 7.8
CVE-2023-36730 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability No No 7.8
CVE-2023-36785 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability No No 7.8
CVE-2023-36420 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability No No 7.3
CVE-2023-36728 Microsoft SQL Server Denial of Service Vulnerability No No 5.5

Windows vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-36704 Windows Setup Files Cleanup Remote Code Execution Vulnerability No No 7.8
CVE-2023-36711 Windows Runtime C++ Template Library Elevation of Privilege Vulnerability No No 7.8
CVE-2023-36725 Windows Kernel Elevation of Privilege Vulnerability No No 7.8
CVE-2023-36723 Windows Container Manager Service Elevation of Privilege Vulnerability No No 7.8
CVE-2023-41772 Win32k Elevation of Privilege Vulnerability No No 7.8
CVE-2023-36557 PrintHTML API Remote Code Execution Vulnerability No No 7.8
CVE-2023-36729 Named Pipe File System Elevation of Privilege Vulnerability No No 7.8
CVE-2023-36718 Microsoft Virtual Trusted Platform Module Remote Code Execution Vulnerability No No 7.8
CVE-2023-36701 Microsoft Resilient File System (ReFS) Elevation of Privilege Vulnerability No No 7.8
CVE-2023-36603 Windows TCP/IP Denial of Service Vulnerability No No 7.5
CVE-2023-36720 Windows Mixed Reality Developer Tools Denial of Service Vulnerability No No 7.5
CVE-2023-36709 Microsoft AllJoyn API Denial of Service Vulnerability No No 7.5
CVE-2023-36605 Windows Named Pipe Filesystem Elevation of Privilege Vulnerability No No 7.4
CVE-2023-36902 Windows Runtime Remote Code Execution Vulnerability No No 7
CVE-2023-38159 Windows Graphics Component Elevation of Privilege Vulnerability No No 7
CVE-2023-36721 Windows Error Reporting Service Elevation of Privilege Vulnerability No No 7
CVE-2023-36717 Windows Virtual Trusted Platform Module Denial of Service Vulnerability No No 6.5
CVE-2023-36707 Windows Deployment Services Denial of Service Vulnerability No No 6.5
CVE-2023-36596 Remote Procedure Call Information Disclosure Vulnerability No No 6.5
CVE-2023-36576 Windows Kernel Information Disclosure Vulnerability No No 5.5
CVE-2023-36698 Windows Kernel Security Feature Bypass Vulnerability No No 3.6

Windows Developer Tools vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-38171 Microsoft QUIC Denial of Service Vulnerability No No 7.5
CVE-2023-36435 Microsoft QUIC Denial of Service Vulnerability No No 7.5
CVE-2023-44487 MITRE: CVE-2023-44487 HTTP/2 Rapid Reset Attack Yes No N/A

Windows ESU vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-36434 Windows IIS Server Elevation of Privilege Vulnerability No No 9.8
CVE-2023-35349 Microsoft Message Queuing Remote Code Execution Vulnerability No No 9.8
CVE-2023-36577 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability No No 8.8
CVE-2023-41765 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability No No 8.1
CVE-2023-41767 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability No No 8.1
CVE-2023-41768 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability No No 8.1
CVE-2023-41769 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability No No 8.1
CVE-2023-41770 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability No No 8.1
CVE-2023-41771 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability No No 8.1
CVE-2023-41773 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability No No 8.1
CVE-2023-41774 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability No No 8.1
CVE-2023-38166 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability No No 8.1
CVE-2023-36710 Windows Media Foundation Core Remote Code Execution Vulnerability No No 7.8
CVE-2023-36436 Windows MSHTML Platform Remote Code Execution Vulnerability No No 7.8
CVE-2023-36712 Windows Kernel Elevation of Privilege Vulnerability No No 7.8
CVE-2023-36726 Windows Internet Key Exchange (IKE) Extension Elevation of Privilege Vulnerability No No 7.8
CVE-2023-36594 Windows Graphics Component Elevation of Privilege Vulnerability No No 7.8
CVE-2023-41766 Windows Client Server Run-time Subsystem (CSRSS) Elevation of Privilege Vulnerability No No 7.8
CVE-2023-36732 Win32k Elevation of Privilege Vulnerability No No 7.8
CVE-2023-36731 Win32k Elevation of Privilege Vulnerability No No 7.8
CVE-2023-36743 Win32k Elevation of Privilege Vulnerability No No 7.8
CVE-2023-36598 Microsoft WDAC ODBC Driver Remote Code Execution Vulnerability No No 7.8
CVE-2023-36593 Microsoft Message Queuing Remote Code Execution Vulnerability No No 7.8
CVE-2023-36702 Microsoft DirectMusic Remote Code Execution Vulnerability No No 7.8
CVE-2023-36438 Windows TCP/IP Information Disclosure Vulnerability No No 7.5
CVE-2023-36602 Windows TCP/IP Denial of Service Vulnerability No No 7.5
CVE-2023-36567 Windows Deployment Services Information Disclosure Vulnerability No No 7.5
CVE-2023-36606 Microsoft Message Queuing Denial of Service Vulnerability No No 7.5
CVE-2023-36581 Microsoft Message Queuing Denial of Service Vulnerability No No 7.5
CVE-2023-36579 Microsoft Message Queuing Denial of Service Vulnerability No No 7.5
CVE-2023-36431 Microsoft Message Queuing Denial of Service Vulnerability No No 7.5
CVE-2023-36703 DHCP Server Service Denial of Service Vulnerability No No 7.5
CVE-2023-36585 Active Template Library Denial of Service Vulnerability No No 7.5
CVE-2023-36592 Microsoft Message Queuing Remote Code Execution Vulnerability No No 7.3
CVE-2023-36591 Microsoft Message Queuing Remote Code Execution Vulnerability No No 7.3
CVE-2023-36590 Microsoft Message Queuing Remote Code Execution Vulnerability No No 7.3
CVE-2023-36589 Microsoft Message Queuing Remote Code Execution Vulnerability No No 7.3
CVE-2023-36583 Microsoft Message Queuing Remote Code Execution Vulnerability No No 7.3
CVE-2023-36582 Microsoft Message Queuing Remote Code Execution Vulnerability No No 7.3
CVE-2023-36578 Microsoft Message Queuing Remote Code Execution Vulnerability No No 7.3
CVE-2023-36575 Microsoft Message Queuing Remote Code Execution Vulnerability No No 7.3
CVE-2023-36574 Microsoft Message Queuing Remote Code Execution Vulnerability No No 7.3
CVE-2023-36573 Microsoft Message Queuing Remote Code Execution Vulnerability No No 7.3
CVE-2023-36572 Microsoft Message Queuing Remote Code Execution Vulnerability No No 7.3
CVE-2023-36571 Microsoft Message Queuing Remote Code Execution Vulnerability No No 7.3
CVE-2023-36570 Microsoft Message Queuing Remote Code Execution Vulnerability No No 7.3
CVE-2023-36776 Win32k Elevation of Privilege Vulnerability No No 7
CVE-2023-36697 Microsoft Message Queuing Remote Code Execution Vulnerability No No 6.8
CVE-2023-36564 Windows Search Security Feature Bypass Vulnerability No No 6.5
CVE-2023-29348 Windows Remote Desktop Gateway (RD Gateway) Information Disclosure Vulnerability No No 6.5
CVE-2023-36706 Windows Deployment Services Information Disclosure Vulnerability No No 6.5
CVE-2023-36563 Microsoft WordPad Information Disclosure Vulnerability Yes Yes 6.5
CVE-2023-36724 Windows Power Management Service Information Disclosure Vulnerability No No 5.5
CVE-2023-36713 Windows Common Log File System Driver Information Disclosure Vulnerability No No 5.5
CVE-2023-36584 Windows Mark of the Web Security Feature Bypass Vulnerability No No 5.4
CVE-2023-36722 Active Directory Domain Services Information Disclosure Vulnerability No No 4.4