Microsoft has issued fixes addressing a total of 89 new Common Vulnerabilities and Exposures (CVEs) – 92 including third-party disclosures – to mark the penultimate Patch Tuesday of 2024, including four critical issues and a number of flaws that could be considered zero-days.
Out of these issues, one meets the full traditional definition of a full zero-day, a vulnerability that is both public and known to be exploited. This is CVE-2024-43451, a spoofing vulnerability in New Technology LAN Manager (NTLM) Hash.
NTLM is a set of security protocols used to authenticate users’ identities. It dates back years and has been largely supplanted by vastly more secure protocols – Microsoft has not recommended its use in over a decade, but since it was used in Internet Explorer, it remains supported to some extent and continues to cause problems, not least because it is incredibly insecure at this stage.
In this instance, successful exploitation of this issue could lead to “total loss of confidentiality”, according to Microsoft, as it discloses a user’s NTLMv2 hash to an attacker who could then use it to authenticate as the user – if the victim can be tricked into minimal interaction with a malicious file, which could include merely selecting or clicking it, not even opening it. This may make it considerably more dangerous than its comparatively low severity score may indicate.
Mike Walters, president and co-founder of Action1, said: “This issue arises from the mechanism where NTLM authentication credentials, specifically NTLMv2 hashes, are improperly exposed via a maliciously crafted file.
“The root cause of this vulnerability lies in improperly handling file interactions within systems, potentially allowing attackers to extract NTLMv2 hashes without requiring complete file execution,” he told Computer Weekly in emailed commentary.
All supported versions of Microsoft Windows are vulnerable to this issue, said Walters, especially if they use applications reliant on MSHTML and EdgeHTML platforms, while risk is further increased across different system environments thanks to the involvement of other scripting engines.
Walters said the main concern with CVE-2024-43451 is the disclosure of NTLMv2 hashes that can be used to authenticate as the user and leveraged in pass-the-hash attacks, enabling further lateral movement for a canny threat actor.
“This vulnerability is particularly effective in phishing scenarios, where users might be deceived into interacting with malicious files. Once NTLM hashes are obtained, attackers can combine them with other network vulnerabilities to extend their access and compromise additional systems,” he said.
“Organisations that heavily use Windows in environments with substantial network file sharing or legacy applications dependent on Internet Explorer and related platforms face heightened risk. Those lacking robust user training and monitoring systems to detect unusual file interactions may be more susceptible to exploitation.”
Also on the list is CVE-2024-49309, which is exploited but not yet public. This is an elevation of privilege (EoP) vulnerability in Windows Task Scheduler.
This stems from an issue where authentication tokens or credentials are improperly managed and could allow a low-privileged attacker to gain deeper access if they can execute a malicious application designed for the purpose. It impacts multiple versions of Windows that incorporate Task Scheduler as part of their routine task automation processes, and it is thought that environments with shared or multiple-user setups may be particularly vulnerable to it.
“This vulnerability serves as a potential entry point for attackers who have already accessed a system with low privilege. Once privileges are escalated, these attackers can utilise this foothold for further lateral movement within a network or to exploit other vulnerabilities that necessitate higher access levels,” said Walters.
“The nature of this vulnerability is especially concerning in corporate settings where individual users possess specific task automation privileges that could be exploited to gain unauthorised access.”
Not yet exploited
Four further vulnerabilities have been made public but as of yet have seen no exploitation, according to Microsoft, and one of these, CVE-2024-5535, a remote code execution issue in OpenSSL, is among the three third-party disclosures incorporated into this month’s drop.
The other three are CVE-2024-43498, a remote code execution (RCE) vulnerability in .NET and Visual Studio, CVE-2024-49019, an EoP vulnerability in Active Directory Certificate Services, and CVE-2024-49040, a spoofing vulnerability in Microsoft Exchange Server.
Chris Goettl, vice-president of security products at Ivanti, shared further thoughts on both the Active Directory and Microsoft Exchange Server issues, and urged defenders to treat them as higher priorities than the official guidance might imply.
“[CVE-2024-49019]…is rated Important and has a CVSS v3.1 score of 7.8…If exploited, the attacker could gain domain administrator privileges. The vulnerability does provide additional mitigations including removing overly broad enrol or auto-enrol permissions, removing unused templates from certificate authorities, and securing templates that allow you to specify the subject in the request,” said Goettl.
“The vulnerability affects Windows Server 2008 and later Server OS editions. From a risk-based perspective, a public disclosure puts this vulnerability at a higher risk of being exploited and may warrant treating the vulnerability as a higher severity.
“[CVE-2024-49040] is rated Important and has a CVSS v3.1 score of 7.5…The vulnerability exists in the P2 From header verification. Microsoft Exchange Server is often targeted by threat actors who specialise in Exchange exploits. From a risk-based prioritisation perspective, the public disclosure and availably of PoC level exploit code warrants treating this vulnerability as Critical.”
Finally, three other Critical issues are listed as, CVE-2024-43625, an EoP vulnerability in Microsoft Windows VMSwitch; CVE-2024-43639, an RCE vulnerability in Windows Kerberos; and CVE-2024-49056, an EoP vulnerability in Airlift.microsoft.com. In each of these instances, no proof of concept has yet been made public and no exploitation in the wild has been observed.