Security Market Segment LS
Wednesday, 12 June 2024 11:29

Microsoft offers fixes for 49 CVEs in Patch Tuesday release Featured

By
Microsoft offers fixes for 49 CVEs in Patch Tuesday release Image by Gerd Altmann from Pixabay

Microsoft has patched 49 CVEs in its June 2024 Patch Tuesday release, with this being the second successive month in which less than 60 CVEs were patched.

Satnam Narang, senior staff research engineer at security firm Tenable, said the company had not patched any zero-day vulnerabilities exploited in the wild this month.

He added that typically, Microsoft Patch Tuesday releases skewed towards being mostly remote code execution vulnerabilities.

“In 2023, remote code execution flaws accounted for over one-third (35.1%) of all CVEs patched," Narang noted. "However, this Patch Tuesday release was dominated by elevation of privilege flaws, accounting for nearly half of the CVEs patched (49%)."

He said Microsoft had patched CVE-2024-30089, an elevation of privilege flaw in the Microsoft Streaming Service. "Like many of the elevation of privilege flaws patched as part of Patch Tuesday, Microsoft labelled this one as 'Exploitation More Likely'," he added.

Narang pointed out that these types of flaws were notoriously useful for cyber criminals seeking to elevate privileges on a compromised system.

"When exploited in the wild as a zero-day, they are typically associated with more advanced persistent threat actors or as part of targeted attacks," he elaborated.

"This vulnerability was disclosed to Microsoft by the same security researcher who disclosed CVE-2023-36802, another Microsoft Streaming Service elevation of privilege flaw, which was patched in the September 2023 Patch Tuesday.

"Curiously, that flaw was disclosed by the researcher, but it was Microsoft themselves that noted it as being exploited in the wild. Another Microsoft Streaming Service flaw was patched this month (CVE-2024-30090), but unlike CVE-2024-30089, this one is labelled as 'Exploitation Less Likely'.”

Mike Walters, president and co-founder of patch management software vendor Action1, said Microsoft had also patched a critical vulnerability in Microsoft Message Queuing, which could permit remote code execution.

"This issue (CVE-2024-30080) stems from a Use After Free (CWE-416) flaw and is assigned a CVSS score of 9.8, indicating an extremely high severity level," he said.

"The vulnerability is accessible through the network with low attack complexity, requires no privileges, and no user interaction, with the scope of the vulnerability remaining unchanged. However, it carries high impacts on confidentiality, integrity, and availability.

"An attacker could exploit this vulnerability by sending a specially crafted malicious MSMQ packet to a server, potentially resulting in remote code execution on that server. While no exploit code or proof-of-concept for this vulnerability has been verified, the likelihood of exploitation is considered high.

"The affected component, Windows Message Queuing Service, must be enabled for the vulnerability to be exploitable. This service can be added via the Control Panel. To check vulnerability, confirm whether the ‘Message Queuing’ service is running and if TCP port 1801 is open on the system."

Walters said another vulnerability of note was an RCE in Microsoft Office (CVE-2024-30101). "This important vulnerability in Microsoft Office permits remote code execution and is associated with a Use After Free (CWE-416) flaw, earning a CVSS score of 7.5, which is considerably high," he elaborated.

"It presents a network attack vector and high attack complexity, requires no privileges but necessitates user interaction. The vulnerability’s scope remains unchanged, yet it poses high impacts on confidentiality, integrity, and availability.

"An attacker could exploit this by sending a malicious email to a user with an affected version of Microsoft Outlook. To trigger the vulnerability, the user must open the email and engage in specific actions.

"While no exploit code or proof-of-concept is verified and the likelihood of exploitation is considered low, successful exploitation depends on the attacker winning a race condition. The Preview Pane is a potential attack vector, though further user interaction is needed."

Adam Barnett, lead software engineer at security firm Rapid7, said Microsoft had issued a patch for SharePoint RCE CVE-2024-30100. "The advisory is sparing on details, and the context of code exploitation is not clear," he noted. "The weakness is described as CWE-426: Untrusted Search Path; many (but not all) vulnerabilities associated with CWE-426 lead to elevation of privilege."

He highlighted CVE-2023-50868, which describes a denial of service vulnerability in DNSSEC. "This vulnerability is present in the DNSSEC spec itself, and the CVE was assigned by MITRE on behalf of DNSSEC," Barnett explained. "Microsoft’s implementation of DNSSEC is thus subject to the same attack as other implementations.

"An attacker can exhaust CPU resources on a DNSSEC-validating DNS resolver by demanding responses from a DNSSEC-signed zone, if the resolver uses NSEC3 to respond to the request. NSEC3 is designed to provide a safe way for a DNSSEC-validating DNS resolver to indicate that a requested resource does not exist.

"Under certain circumstances, the DNS resolver must perform thousands of iterations of a hash function to calculate an NSEC3 response, and this is the foundation on which this DoS exploit rests. All current versions of Windows Server receive a patch today.

"Typically, when Microsoft publishes a security advisory and describes the vulnerability as publicly disclosed, that public disclosure would have been recent. However, in the case of CVE-2023-50868, the flaw in DNSSEC was first publicly disclosed on 2024-02-13. The advisory acknowledges four academics from the German National Research Centre for Applied Cybersecurity (ATHENE), which is perhaps of interest since these same researchers are authors on a March 2024 academic paper that downplays the DoS potential of CVE-2024-50868.

"Those same researchers published another DNSSEC flaw CVE-2023-50387 (also known as KeyTrap) in January 2024, which they describe as having potentially serious implications; Microsoft patched that one at the next scheduled opportunity in February.

"The CVE-2023-50868 advisory published today does not provide further insight as to why this vulnerability wasn’t patched sooner; a reasonable assumption might be that Microsoft assesses CVE-2023-50868 as less urgent/critical than CVE-2023-50387, although both receive a rating of Important on Microsoft’s proprietary severity ranking scale. It’s also possible that Microsoft does not wish to be the only major server OS vendor without a patch."

Read 136 times

Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here
BACK TO LATEST NEWS here




IDC WHITE PAPER: The Business Value of Aiven Data Cloud Solutions

According to IDC, Aiven enables your teams to perform more efficiently, reduce direct infrastructure costs, and provide improved database performance, agility and scalability.

Find out how Aiven makes teams 48% more efficient, allowing staff to focus on high-value activities that drive real business results:

340% 3-year ROI – break even in 5 months (average)

37% lower 3-year cost of operations

78% reduction in staff time for database deployments


Download the IDC White Paper now

DOWNLOAD WHITE PAPER!

PROMOTE YOUR WEBINAR ON ITWIRE

It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site itwire.com and prominent Newsletter promotion https://itwire.com/itwire-update.html and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV https://www.youtube.com/c/iTWireTV/videos which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinars and campaigns and assistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.

MORE INFO HERE!

BACK TO HOME PAGE
Sam Varghese

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

Share News tips for the iTWire Journalists? Your tip will be anonymous

Subscribe to Newsletter

*  Enter the security code shown:

WEBINARS & EVENTS

CYBERSECURITY

PEOPLE MOVES

GUEST ARTICLES

Guest Opinion

ITWIRETV & INTERVIEWS

RESEARCH & CASE STUDIES

Channel News

Comments