REDLEGG BLOG

Patch Tuesday - October 2024

10/8/24 5:05 PM  |  by RedLegg Blog

*Important note: These are not the only vulnerabilities that were recently released; however, these are the vulnerabilities RedLegg has identified as critical and require immediate attention.

VULNERABILITIES

libcurl ASN.1 Parsing Remote Code Execution Vulnerability

Identifier: CVE-2024-6197
Exploit or POC: Yes, a proof of concept exists for this vulnerability. 
Update: CVE-2024-6197 – libcurl Security Advisory
(https://curl.se/docs/CVE-2024-6197.html)

Description: CVE-2024-6197 is a vulnerability in libcurl's handling of ASN.1 data during the TLS certificate parsing process. The vulnerability could allow an attacker to crash the application or execute arbitrary code by exploiting this flaw with a specially crafted TLS certificate. Versions 8.6.0 through 8.8.0 are affected.

Mitigation Recommendation: Patching is the recommended mitigation. Upgrade to libcurl version 8.9.0 or higher to address this vulnerability. The details and patches are available in the official libcurl Security Advisory. It is advised to update immediately to avoid possible exploitation.

 


Windows MSHTML Platform Spoofing Vulnerability

Identifier: CVE-2024-43573
Exploit or POC: Yes, this vulnerability has been exploited in the wild as a zero-day. 
Update: CVE-2024-43573 – Microsoft Security Update Guide
(https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43573)

Description: CVE-2024-43573 is a spoofing vulnerability in the Windows MSHTML platform. The vulnerability allows attackers to trick users into interacting with malicious content disguised as legitimate, potentially leading to unauthorized disclosure of sensitive information. User interaction, typically involving social engineering tactics, is required for exploitation.

Mitigation Recommendation: Patching is currently the only method of mitigation. Please update to the latest software versions as listed in the Microsoft Security Update Guide (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43573) Keeping systems updated is crucial to mitigate this vulnerability, especially since it has been actively exploited.

 


Microsoft Management Console (MMC) Remote Code Execution Vulnerability

Identifier: CVE-2024-43572
Exploit or POC: Yes, this vulnerability has been actively exploited in the wild.
Update: CVE-2024-43572 – Microsoft Security Update Guide (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43572)

Description: CVE-2024-43572 is a remote code execution (RCE) vulnerability in the Microsoft Management Console (MMC). It has a CVSS score of 7.8 and can be exploited by convincing a user to load a specially crafted file. Successful exploitation allows attackers to execute arbitrary code on the affected system, leading to potential full system compromise. This vulnerability has been exploited in the wild

Mitigation Recommendation: Patching is currently the only method of mitigation. Please update to the latest software versions as listed in the Microsoft Security Update Guide  (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43572)Apply the patch immediately to protect systems from this high-risk vulnerability

 


Windows Hyper-V Security Feature Bypass Vulnerability

Identifier: CVE-2024-20659 
Exploit or POC: No, there is no public proof-of-concept or known exploit for this vulnerability.
Update: CVE-2024-20659 – Microsoft Security Update Guide  (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-20659)

Description: CVE-2024-20659 is a security feature bypass vulnerability affecting Windows Hyper-V. It allows an attacker to bypass the Unified Extensible Firmware Interface (UEFI) security on the host machine, leading to the compromise of the Hyper-V environment, including the hypervisor and the secure kernel. While it has a CVSSv3 score of 7.1, the complexity of the attack and the requirement of adjacent network access make exploitation less likely.

Mitigation Recommendation: Patching is currently the only recommended method of mitigation. Ensure that you apply the official security patch released by Microsoft as soon as possible. Refer to the Microsoft Security Update Guide for further details.

 


Winlogon Elevation of Privilege Vulnerability

Identifier: CVE-2024-43583
Exploit or POC: No, there is no public proof-of-concept or known exploit for this vulnerability, though it has been publicly disclosed.
Update: CVE-2024-43583 – Microsoft Security Update Guide (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43583)

Description: CVE-2024-43583 is an elevation of privilege vulnerability in the Winlogon component of Windows operating systems. Winlogon is responsible for handling user authentication and session management. This flaw allows a local, authenticated attacker to gain SYSTEM-level privileges, which could enable them to install software, modify data, or take complete control of the affected system. Microsoft has released a patch to address this vulnerability and recommends enabling the Microsoft first-party Input Method Editor (IME) to mitigate risks related to third-party IMEs.

Mitigation Recommendation: Patching is the primary mitigation method. Please update your system with the latest security patch as provided in the Microsoft Security Update Guide. Additionally, enable Microsoft's first-party IME to avoid potential vulnerabilities related to third-party IMEs.

 


Microsoft Configuration Manager Remote Code Execution Vulnerability

Identifier: CVE-2024-43468
Exploit or POC: No, there is no public proof-of-concept or known exploitation in the wild, though it is critical.
Update: CVE-2024-43468 – Microsoft Security Update Guide (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43468)

Description: CVE-2024-43468 is a critical remote code execution (RCE) vulnerability in Microsoft Configuration Manager. With a CVSS score of 9.8, it allows an unauthenticated attacker to send a specially crafted request to a vulnerable system, which could result in arbitrary code execution on the affected machine or its underlying database. This vulnerability poses a severe risk due to its potential to be exploited remotely without user interaction. Despite its criticality, Microsoft has marked the likelihood of exploitation as "less likely."

Mitigation Recommendation: Patching is the primary method of mitigation. Microsoft has released an in-console update for this vulnerability. For those unable to apply the update immediately, a workaround is suggested, which involves using an alternate service account for the Management Point connection instead of the default computer account. Users should apply the patch as soon as possible to protect their systems from potential exploitation.

 


Visual Studio Code Extension for Arduino Remote Code Execution Vulnerability

Identifier: CVE-2024-43488
Exploit or POC: No, there is no public proof-of-concept or known exploitation of this vulnerability.
Update: CVE-2024-43488 – Microsoft Security Update Guide (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43488)

Description: CVE-2024-43488 is a critical remote code execution vulnerability affecting the Visual Studio Code extension for Arduino. The vulnerability is caused by missing authentication for critical functions, which allows an unauthenticated attacker to remotely execute arbitrary code on the affected system. This can lead to a complete compromise of system confidentiality, integrity, and availability, allowing attackers to gain full control of the system, access sensitive information, and manipulate data. Microsoft has deprecated this extension, recommending users switch to the Arduino IDE instead.

Mitigation Recommendation: Users should immediately update the Visual Studio Code extension for Arduino to the latest version. If the extension is no longer needed, it should be uninstalled or disabled. Additionally, network segmentation and strong access controls should be implemented to minimize exposure. Monitoring for unusual network activity is also recommended to detect potential threats.

 


Remote Desktop Protocol Server Remote Code Execution Vulnerability

Identifier: CVE-2024-43582
Exploit or POC: No, there is no public proof-of-concept or known exploitation for this vulnerability.
Update: CVE-2024-43582 – Microsoft Security Update Guide (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43582)

Description: CVE-2024-43582 is a high-severity vulnerability affecting the Remote Desktop Protocol (RDP) server, with a CVSS score of 8.1. It allows an unauthenticated attacker to execute arbitrary code remotely by sending malformed packets to an RDP host. This could lead to a complete system compromise, granting the attacker control over the affected machine, with potential impacts on confidentiality, integrity, and availability. The vulnerability does not require any user interaction, but the attack complexity is rated high because the attacker must successfully exploit a race condition.

Mitigation Recommendation: Applying the patch provided by Microsoft is the most effective mitigation. If patching is not immediately possible, restrict access to RDP servers from untrusted networks, implement network segmentation, and enforce firewall rules to limit RDP access to trusted IP addresses only. Additionally, consider using multi-factor authentication (MFA) for RDP access and monitor for any unusual activities on RDP servers.

Get Blog Updates

Related Articles

Emergency Security Bulletin: SonicWall SMA1000 Appliances Vulnerability Bulletins

Emergency Security Bulletin: SonicWall SMA1000 Appliances

About: RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide ...
Emergency Security Bulletin: Multiple SAP NetWeaver Vulnerabilities Vulnerability Bulletins

Emergency Security Bulletin: Multiple SAP NetWeaver Vulnerabilities

About: RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide ...
Critical Security Vulnerabilities Bulletin