The four zero days

CVE-2024-38080 is an elevation of privilege (EoP) vulnerability that affects Microsoft’s Hyper-V virtualization functionality in Windows 11 and Windows Server and is being actively exploited.

“For CVE-2024-38080 (CVSS severity score 7.8), a vulnerability in Windows Hyper-V, the impact is significant as this vulnerability can grant attackers the highest level of system access, enabling the deployment of ransomware and other malicious attacks,” said Saeed Abbasi, product manager, vulnerability research at Qualys Threat Research Unit (TRU).

“While Microsoft has not disclosed the extent of active exploitation, the nature of the vulnerability makes it a prime target for attackers. Due to the potential for deep system control, this vulnerability is ripe for further exploitation attempts. The combination of low complexity and no requirement for user interaction means it is likely to be quickly included in exploit kits, leading to widespread exploitation.”

Greg Wiseman, product manager at Rapid7, added: “A successful exploitation (of CVE-2024-38080) would give an attacker SYSTEM-level privileges. Only more recent editions of Windows are affected: Windows 11 since version 21H2 and Windows Server 2022 including Server Core.”

Microsoft also fixed a zero-day spoofing vulnerability in Windows MSHTML Platform (CVE-2024-38112, CVSS 7.5), which could allow an attacker to send a malicious file to a user and execute it over the network. This vulnerability is being actively exploited.

“This vulnerability has been exploited before, but Microsoft has released few details beyond describing it as a ‘spoofing’ vulnerability, which requires social engineering to trick a user into running a provided file,” said Rob Reeves, Principal Cyber ​​Security Engineer at Immersive Labs.

Another important update is a fix for CVE-2024-35264 (CVSS 8.1), a publicly disclosed, zero-day remote code execution (RCE) vulnerability affecting Visual Studio 2022 and .Net 8.0. Exploitation of this flaw is described as “difficult” because it requires race conditions.

The fourth zero-day, CVE-2024-37985 (CVSS 5.9), is a publicly disclosed vulnerability in Windows 11 on Arm-based systems.

“This could allow an attacker to view heap memory of a privileged process. The vulnerability has been publicly disclosed, but no code samples were made available as part of this disclosure,” said Chris Goettl, VP of Security Products at Ivanti.

Five Critical Bugs

The five vulnerabilities classified as “critical” by Microsoft (which almost always means they allow remote code execution) are as follows.

CVE-2024-38023 (CVSS 7.2) is a SharePoint vulnerability. “An authenticated attacker with Site Owner permissions or higher could upload a specially crafted file to the targeted SharePoint Server and make specialized API requests to trigger deserialization of the file’s parameters,” Microsoft’s advisory states. “This could allow the attacker to perform remote code execution in the context of the SharePoint Server.”

CVE-2024-38060 (CVSS 8.8) affects Windows Imaging Component RCE. “This is a flaw in the Windows Imaging Component related to TIFF (Tagged Image File Format) image processing that could allow an attacker to execute arbitrary code on a system,” Wiseman said. “The example scenario Microsoft provides is simply that of an authenticated attacker uploading a specially crafted TIFF image to a server for exploitation.”

CVE-2024-38076 (CVSS 9.8) is described as Windows Remote Desktop Licensing Service RCE. Microsoft has provided a fix for this issue and “strongly advises” administrators to install the updates “as soon as possible, even if you plan to leave Remote Desktop Licensing Service disabled.”

The two remaining critical bugs also exist in Windows Remote Desktop Licensing Service and are related to CVE-2024-38076, with the same mitigation and recommended action from Microsoft. They are CVE-2024-38074 (CVSS 9.8) and CVE-2024-38074 (CVSS 9.8).

Other solutions

Other notable patches in this month’s update include 39 CVEs in Microsoft SQL Server, none of which are critical. No exploits or disclosures have been reported.

There are also patches for third-party software including Adobe, Cisco NX-OS, Citrix Windows Virtual Delivery Agent and Workspace, GhostScript, Fortinet FortiOS, VMware Cloud Director, Firefox, and the OpenSSH “Regression” RCE bug.