Patch Tuesday November 2024

Patch Tuesday November 2024 Updates – Vulnerability Digest from Action1

This digest explains the most serious vulnerabilities in popular Windows software that have been patched over the past month.

Microsoft Vulnerabilities

This Patch Tuesday, Microsoft has addressed 88 vulnerabilities and issued one advisory, showing a decrease from the previous month. Four of these vulnerabilities are considered critical. Notably, the update includes fixes for two zero-days, one accompanied by a proof of concept. Additionally, proofs of concept have been developed for two more vulnerabilities, though they have not yet been exploited.
Below are details on the most critical updates provided this month.

NTLM Hash Disclosure Spoofing Vulnerability (CVE-2024-43451)

CVE-2024-43451 represents a spoofing vulnerability related to the exposure of NTLM hashes, classified under CWE-73: External Control of File Name or Path. This issue arises from the mechanism where NTLM authentication credentials, specifically NTLMv2 hashes, are improperly exposed via a maliciously crafted file.

The vulnerability stems from inadequate handling of file interactions within systems, potentially allowing attackers to extract NTLMv2 hashes without needing to fully execute the file. This exposure occurs when a user’s interaction with a malicious file results in unauthorized hash disclosure.

All supported versions of Microsoft Windows are vulnerable, especially when using applications that rely on MSHTML and EdgeHTML platforms. The involvement of various scripting engines further increases the risk across different system environments.

The primary concern is the disclosure of NTLMv2 hashes, which attackers can utilize to authenticate as the user, potentially gaining unauthorized access to resources. These hashes can be leveraged in pass-the-hash (PtH) attacks, facilitating lateral movement within networks and posing a higher risk of extensive network compromise.

• Attack Vector: Network (exploitable remotely via network interaction)
• Attack Complexity: Low (relatively easy to exploit with crafted payloads)
• Privileges Required: None (the exploit can occur without elevated privileges)
• User Interaction: Required (minimal, such as right-clicking or opening a file)
• Publicly Disclosed: Yes
• Exploited in the Wild: Yes, demonstrating the vulnerability’s appeal to attackers due to its simplicity and effectiveness.

This vulnerability is particularly effective in phishing scenarios, where users might be deceived into interacting with malicious files. Once NTLM hashes are obtained, attackers can combine them with other network vulnerabilities to extend their access and compromise additional systems.

• CVSS Base Score: 6.5
• CVSS Temporal Score: 6.0

These scores reflect a moderate to significant threat level, underscored by the potential for information disclosure and its subsequent misuse, which poses a considerable risk to data confidentiality and network integrity.

Organizations that heavily use Windows in environments with substantial network file sharing or legacy applications dependent on Internet Explorer and related platforms face heightened risk. Those lacking robust user training and monitoring systems to detect unusual file interactions may be more susceptible to exploitation.

CVE-2024-43451 is a critical issue for securing credentials within Windows environments, where NTLM hash disclosure, while not immediately impactful, provides attackers with a means to conduct more severe attacks over time.

Windows Task Scheduler Elevation of Privilege Vulnerability (CVE-2024-49039)

The second zero-day, CVE-2024-49039, is an elevation of privilege vulnerability identified in the Windows Task Scheduler. Classified under CWE-287: Improper Authentication, this vulnerability indicates that the Task Scheduler’s authentication mechanisms can be bypassed under specific conditions, enabling an escalation of user privileges.

The core issue stems from the improper management of authentication tokens or credentials, allowing a low-privileged attacker to gain higher levels of access by executing a specially crafted application. This vulnerability specifically impacts how the Task Scheduler validates permissions to execute tasks at elevated privilege levels.

This flaw affects multiple versions of Microsoft Windows that incorporate the Task Scheduler service within their routine task automation infrastructure. Environments with shared or multiple user setups are particularly vulnerable if this security flaw is exploited.

An attacker exploiting this vulnerability can escalate from a low-privilege AppContainer to a Medium Integrity Level, granting them the capability to execute normally restricted Remote Procedure Call (RPC) functions. Such elevated privileges could enable the attacker to manipulate or execute code that would typically be inaccessible, potentially leading to more extensive security breaches within the compromised environment.

• Attack Vector: Local (the attack must be executed on the local system)
• Attack Complexity: Low (relatively straightforward to exploit once local access is achieved)
• Privileges Required: Low (the initial exploit does not require high-level privileges)
• User Interaction: None (the attack can proceed without user interaction)
• Publicly Disclosed: No
• Exploited in the Wild: Yes. Given the observed exploits in the wild and the low complexity, this vulnerability poses a credible threat.

This vulnerability serves as a potential entry point for attackers who have already accessed a system with low privilege. Once privileges are escalated, these attackers can utilize this foothold for further lateral movement within a network or to exploit other vulnerabilities that necessitate higher access levels.

• CVSS Base Score: 8.8
• CVSS Temporal Score: 8.2

These scores denote considerable severity, highlighting the potential for attackers to elevate privileges and impact system confidentiality, integrity, and availability.

Organizations utilizing Windows systems, especially those with multiple user accounts or environments that permit scheduled tasks, could be at increased risk. The nature of this vulnerability is especially concerning in corporate settings where individual users possess specific task automation privileges that could be exploited to gain unauthorized access.

Active Directory Certificate Services Elevation of Privilege Vulnerability (CVE-2024-49019)

CVE-2024-49019 represents an Elevation of Privilege vulnerability in Active Directory Certificate Services (AD CS), associated with CWE-1390: Weak Authentication. This classification highlights the vulnerability’s basis in inadequate authentication protocols during the management of certificate template permissions. This flaw allows attackers to escalate their privileges by manipulating improperly configured certificate templates.

The vulnerability specifically arises from the use of version 1 certificate templates where the subject name is set to “Supplied in the request” combined with overly broad ‘Enroll’ permissions. Under these conditions, attackers can request certificates with arbitrary subject names, leading to potential escalation of privileges, up to and including domain administrator levels.

This issue predominantly affects Windows environments utilizing AD CS, especially those where certificate templates are not meticulously configured. The risk is particularly acute for environments using version 1 templates with insufficient permission restrictions.

Successful exploitation of this vulnerability allows attackers to acquire domain administrator privileges, thus gaining extensive control over the entire Windows domain. Such elevated privileges can lead to unauthorized access to secure domain resources, including critical data and sensitive systems.

• Attack Vector: Local (exploitation requires local network access to the certificate services)
• Attack Complexity: Low (the conditions required to exploit this vulnerability are straightforward)
• Privileges Required: Low (exploit necessitates lower-level credentials, such as those of a domain user)
• User Interaction: None (the vulnerability can be exploited without user interaction)
• Publicly Disclosed: Yes
• Exploited in the Wild: There are no known reports of active exploitation yet.
• Exploitation More Likely: Given the nature of the vulnerability, there is a heightened risk of exploitation once the details are widely known.

This vulnerability could be used as a step for privilege escalation following an initial compromise via other attack vectors, such as phishing or network access vulnerabilities. Attackers might use this vulnerability in conjunction with credential harvesting techniques to broaden their access and impact within the domain, aiming to secure domain admin privileges.

• CVSS Base Score: 7.8
• CVSS Temporal Score: 6.8

These scores indicate significant potential risks, underscored by the threat of unauthorized elevation to domain administrator level, which could impact the confidentiality, integrity, and availability of systems managed within the domain.

Organizations with suboptimal configurations of certificate services are particularly vulnerable. Enterprises that have implemented AD CS without adhering to best practices in managing certificate templates are at increased risk of substantial security breaches. Sectors with extensive, complex IT infrastructures such as finance, healthcare, or government should closely monitor and remediate this vulnerability to prevent potential exploits.

Microsoft Exchange Server Spoofing Vulnerability (CVE-2024-49040)

CVE-2024-49040 is a spoofing vulnerability in Microsoft Exchange Server, classified under CWE-451: User Interface (UI) Misrepresentation of Critical Information. This vulnerability results from inadequate handling and verification of the P2 FROM header within the transport layer of Microsoft Exchange. Such handling permits the passage of non-RFC 5322 compliant headers, leading to potential misrepresentation of the email sender in applications like Microsoft Outlook.

The primary issue lies in how Exchange processes these headers, enabling attackers to construct emails that falsely appear to be from legitimate sources. This capability is particularly useful for spear phishing and other forms of email-based deception.

This vulnerability poses a risk to any organization utilizing Microsoft Exchange Server to manage email traffic, particularly if they have not implemented the latest security updates.

Attackers can exploit this vulnerability to execute convincing spoofing attacks that may result in successful phishing schemes. Unwitting users could be deceived into downloading malicious content or divulging sensitive information, under the impression that the communication is from a trusted source.

• Attack Vector: Network (the attack can be carried out remotely over the network)
• Attack Complexity: Low (relatively straightforward for attackers to exploit under the right conditions)
• Privileges Required: None (no advanced permissions are necessary for exploitation)
• User Interaction: None (the attack does not require victim interaction to succeed)
• Publicly Disclosed: Yes
• Exploited in the Wild: There are no reports of active exploitation
• Exploitation More Likely: Given the nature of the vulnerability, there is a significant risk of exploitation if it remains unaddressed.

This vulnerability can play a critical role in broader phishing and social engineering campaigns aimed at securing access to login credentials or other sensitive data. Spoofed emails could also serve as vehicles for delivering malicious payloads, including ransomware or remote access trojans, which can further manipulate or extract valuable information.

• CVSS Base Score: 7.5
• CVSS Temporal Score: 6.7

These scores indicate a significant threat level, highlighting the potential of spoofing vulnerabilities to severely disrupt organizational communication channels and compromise integrity.

Organizations that depend heavily on Microsoft Exchange for business communications, especially those in sectors like finance, legal, and healthcare, face considerable risk. These industries rely critically on email as a primary means of communication. Without robust security measures, such organizations are more susceptible to successful phishing attacks and other deceptive strategies, potentially resulting in data breaches or financial losses.

CVE-2024-49040 underscores the importance of diligent email security practices and the necessity for ongoing vigilance in updating and securing enterprise email systems to mitigate potential threats.

Windows Kerberos Remote Code Execution Vulnerability (CVE-2024-43639)

One of the most critical vulnerabilities identified recently is CVE-2024-43639, a Remote Code Execution (RCE) vulnerability within the Windows Kerberos authentication protocol, categorized under CWE-197: Numeric Truncation Error. This issue arises from the improper handling of numerical data within Kerberos operations, where data truncation can lead to incorrect values being processed, thus opening pathways for remote exploitation.

Kerberos is a fundamental component of Windows environments, crucial for authenticating user and service identities. This vulnerability turns Kerberos into a high-value target, allowing attackers to exploit the truncation flaw to craft messages that Kerberos fails to process securely, potentially enabling the execution of arbitrary code.

This vulnerability affects Windows systems that utilize Kerberos for authentication. Considering Kerberos’ extensive role in enterprise environments for secure authentication and ticket granting across networks, a vast number of active directories and domain controllers globally are at risk.

Attackers can execute arbitrary code on affected systems, gaining control over domain controllers or other critical network resources. Successful exploitation of this vulnerability could lead to unauthorized access, lateral movement within the network, and possibly complete network compromise.

• Attack Vector: Network (enabling remote exploitation across network boundaries)
• Attack Complexity: Low (relatively straightforward to exploit once the appropriate vectors are identified)
• Privileges Required: None (does not require prior authentication or special privileges)
• User Interaction: None (the attack can proceed without any user involvement)
• Publicly Disclosed: No
• Exploited in the Wild: No reports of real-world exploitation to date
• Exploitation Less Likely: Despite its severity, the technical complexity required for successful exploitation makes it less likely in the short term.

This vulnerability could be leveraged to escalate privileges or gain control over additional network resources once initial access is secured. While the vulnerability itself does not require interaction, combining it with phishing or spear-phishing tactics could enable broader network infiltration.

• CVSS Base Score: 9.8
• CVSS Temporal Score: 8.5

These scores reflect the extreme criticality of the vulnerability, indicating its potential for widespread impact and the severity of compromising a network service without requiring user action or elevated privileges.

Any organization using Windows domains that rely on Kerberos for authentication is at risk. This encompasses nearly every medium-to-large business, governmental organization, and any entity with a complex network infrastructure. A successful exploit could result in catastrophic breaches, including full domain compromise and unrestricted access to sensitive data.

In conclusion, CVE-2024-43639 highlights critical vulnerabilities that can arise in core service protocols such as Kerberos, affecting the foundational elements of secure communication and authentication within networks. Despite the current lower likelihood of immediate exploitation due to its non-disclosure and lack of active exploits in the wild, the potential damage necessitates proactive vulnerability management and patching strategies to protect against future exploitation attempts.

Google Chrome

Google recently patched a critical vulnerability in Chrome, designated CVE-2024-10487, with the launch of Chrome version 130. This release addresses two security issues, including a severe memory mismanagement problem in Dawn, a universal framework implementing the WebGPU standard. WebGPU facilitates high-performance graphics and computational capabilities on the web, directly interfacing with system hardware. This makes the bug particularly alarming as it could potentially enable remote code execution (RCE), one of the most perilous types of exploits. Such an exploit could allow attackers to remotely run malicious code and possibly take complete control of affected systems.

The issue, identified only a week prior by Google and reported to Apple’s Security Engineering and Architecture (SEAR) team, pertains specifically to an out-of-bounds write in Dawn. While WebGPU is also utilized in Firefox and Safari, it remains unclear if these browsers are similarly vulnerable to CVE-2024-10487. Although Google has not reported any active exploitation in the wild, the theoretical consequences of such a vulnerability could be dire, as out-of-bounds writes can be exploited for RCE.

Additionally, the update rectifies another vulnerability, CVE-2024-10488, characterized as a high-severity use-after-free (UAF) flaw in WebRTC. UAF vulnerabilities are critical as they can be exploited to execute arbitrary code or crash systems, potentially leading to denial-of-service attacks. This underscores the critical need for strict memory management and continuous code reviews in software development.

Mozilla Firefox

Mozilla has rolled out updates for Firefox and Thunderbird with versions 132 of each, addressing a total of 11 vulnerabilities shared across the browser and email client. These updates include fixes for two high-severity issues. The first, CVE-2024-10458, involves a permission leak where a trusted site could inadvertently expose permissions to an untrusted site. In an era where data privacy is crucial, even minor leaks could escalate into significant privacy issues if exploited. The second high-severity flaw, CVE-2024-10459, is a use-after-free vulnerability that could lead to exploitable system failures.

The remaining vulnerabilities, classified from medium to low severity, could potentially facilitate spoofing, cross-site scripting (XSS) attacks, data leaks, denial-of-service (DoS), and remote code execution (RCE) conditions. It’s important to recognize that vulnerabilities of lower severity can still serve as components in more complex, multi-stage attacks. Cyber attackers often exploit chains of such vulnerabilities to magnify the impact of their attacks, making it essential to address these issues as part of a comprehensive cybersecurity strategy.

Additionally, a zero-day vulnerability in Mozilla Firefox, designated CVE-2024-9680, is currently being exploited in active attacks. This zero-day was identified by ESET researchers and is described as a post-release memory leak that manifests as a use-after-free error within the browser’s animation timeline. This timeline manages the graphical representation of all animations related to an element or its dependent elements. Affecting both the latest standard and Extended Support Releases (ESR) of Firefox, the urgent nature of this flaw prompted Mozilla to issue an emergency update. Given its active exploitation and the uncertain scope of its targeting, users are strongly advised to prioritize updating their software to mitigate potential risks.

Apple

Apple has released security updates for iOS 18 and macOS Sequoia 15, addressing over 70 vulnerabilities across these platforms, including several that could lead to file system elevation. The updates, iOS 18.1 and iPadOS 18.1, now available for mobile devices, fix 28 vulnerabilities that range from information disclosure to heap corruption and access to restricted files. Apple has enhanced various security aspects such as authentication, memory management, and content handling to mitigate these vulnerabilities.

Similarly, macOS Sequoia 15.1 rectifies 59 flaws, sharing 15 common issues with iOS and addressing additional vulnerabilities found in third-party dependencies and various system components like App Support and WebKit.

These updates come shortly after Apple discontinued Sequoia due to compatibility issues with security tools. Apple also rolled out patches for older device versions in iOS 17.7.1 and iPadOS 17.7.1, addressing 17 vulnerabilities, alongside updates for macOS Sonoma 14.7.1 and macOS Ventura 13.7.1, each containing over 40 fixes. Additional security updates were also provided for watchOS, tvOS, and visionOS.

In related news, Imperva researchers have uncovered a resource exhaustion vulnerability, dubbed ShadyShader, affecting new iPhones and Macs with M-series processors. This vulnerability, which exploits GPU processing via nested loops, can cause devices to crash suddenly. It triggers when users access WebGL content with malicious shader code, potentially delivered through various digital mediums like emails or malicious links. This vulnerability, which requires no user authorization, can overload the GPU, causing system-wide freezes and crashes.

Apple has since updated its GPU drivers in 2023 to address this issue, securing users of the latest iOS and macOS versions against such attacks. However, the vulnerability’s potential for broader exploitation remains a concern, as similar behaviors have been observed in devices like Google Pixel phones and even Tesla cars, indicating that any system with a GPU and browser might be at risk.

Cisco

Cisco has released patches for a series of vulnerabilities affecting its Adaptive Security Appliance (ASA), Secure Firewall Management Center (FMC), and Firepower Threat Defense (FTD) products. Among these, a significant issue, CVE-2024-20481 with a CVSS score of 5.8, impacts the Remote Access VPN (RAVPN) service on the ASA and FTD. This vulnerability could allow remote, unauthenticated attackers to trigger a denial of service (DoS) condition by inundating the system with VPN authentication requests. The vulnerability only affects devices that are running susceptible versions of the software and have the RAVPN service enabled.

The observed attacks, as noted by Cisco, are part of a widespread brute-force campaign targeting VPN and SSH services across multiple vendors including Checkpoint, Fortinet, SonicWall, MikroTik, Draytek, and Ubiquiti, which began in April 2024.

Cisco’s bi-annual advisories also highlighted 50 other vulnerabilities, including three critical issues for which proof of concepts are available, though no active exploits have been reported. These include CVE-2024-20377, CVE-2024-20387, and CVE-2024-20388, all of which are disclosure bugs in FMC.

A notable critical vulnerability in ASA, CVE-2024-20329 with a CVSS score of 9.9, could allow an authenticated remote attacker to execute OS commands with root privileges through SSH, potentially taking full control of the system. In the FMC, CVE-2024-20424 also with a CVSS of 9.9, involves the possibility of an authenticated remote attacker sending specially crafted HTTP requests to execute arbitrary commands on the device.

For the FTD, a critical vulnerability tracked as CVE-2024-20412 (CVSS 9.3) impacts Cisco Firepower 1000, 2100, 3100, and 4200 series firewalls. This flaw allows a local, unauthenticated attacker to access the device’s command line interface using static credentials.

In addition to these, Cisco addressed 10 high-severity vulnerabilities in FTD, many of which also affect ASA. Another high-severity issue patched concerns the Adaptive Security Virtual Appliance (ASAv) and Secure Firewall Threat Defense Virtual (FTDv), involving a flaw that could enable execution of arbitrary code with root privileges.

Furthermore, Cisco patched a high-severity vulnerability in its Ultra-Reliable Wireless Backhaul (URWB) industrial wireless systems, identified as CVE-2024-20418. Discovered in the web-based management interface of Cisco Unified Industrial Wireless Software, this vulnerability could be exploited through low-complexity command injection attacks that do not require user interaction. The flaw, resulting from improper input validation, could allow unauthenticated attackers to execute arbitrary commands with root privileges on the underlying operating system.

The vulnerability specifically affects Catalyst IW9165D Heavy Duty Access Points, Catalyst IW9165E Secure Access Points and Wireless Clients, and Catalyst IW9167E Heavy Duty Access Points, but only under specific conditions where vulnerable software is installed and URWB mode is operational. Cisco’s PSIRT confirms there is no publicly available exploit nor reports of real-world exploits, advising administrators to check the status of URWB to determine vulnerability exposure.

Android

Google has recently addressed two zero-day vulnerabilities out of 51 identified in its November security updates for Android, which have been targeted in recent attacks.

The first zero-day, CVE-2024-43047, is a significant post-release memory consumption issue within Qualcomm’s closed components of the Android kernel, leading to elevation of privilege (EoP). This vulnerability, initially identified by Qualcomm in early October 2024, pertains to an issue in the Digital Signal Processor (DSP) service.

The second zero-day, CVE-2024-43093, is a high-severity vulnerability that also results in EoP, specifically impacting the Android Framework component and Google Play system updates, particularly in the Documents user interface. The discoverer of CVE-2024-43093 has not been disclosed by Google.

While Google typically does not reveal how vulnerabilities are exploited, the discovery of CVE-2024-43047 by Amnesty International researchers suggests its association with spyware.

Of the remaining 49 vulnerabilities addressed in this update, they affect Android versions 12 through 15, with only one—CVE-2024-38408, also a Qualcomm-related issue—being rated as critical. Google has implemented two patch levels this month: the first on November 1 (patch level 2024-11-01) addressing 17 major vulnerabilities, and the second on November 5 (patch level 2024-11-05) covering these same issues plus additional vendor-specific fixes, including those from Qualcomm and MediaTek.

However, it’s important to note that Android 11 and earlier versions are no longer supported and may only receive security updates for critical issues that are actively exploited, through Google Play system updates, though such updates are not guaranteed.

Opera

Guardio Security has identified a vulnerability in the Opera browser that enables extensions to access the browser’s private APIs, which support its own features like cryptocurrency wallets, VPN, pinboard, and more. This vulnerability does not impact other Chromium-based browsers.

The flaw could allow attackers to develop and distribute malicious extensions through the official Chrome Web Store, targeting specifically Opera users. Although Opera issued patches in late September to address this issue, users may still be exposed to certain limited attack scenarios.

WordPress

The developers of the WordPress plugin Jetpack have issued an emergency update to address a critical vulnerability. This flaw allowed logged-in users to access forms submitted by other site visitors. Jetpack, a popular plugin by Automattic, enhances website functionality, security, and performance and is currently installed on 27 million websites. The vulnerability, discovered during an internal audit, has been present in all versions of the plugin since version 3.9.9, released in 2016. Automattic has now patched 101 vulnerable versions of Jetpack.

Site owners using Jetpack should verify whether their plugin has automatically updated to one of the patched versions or manually update if necessary.

Despite no evidence of exploitation over the eight years the vulnerability has existed, Jetpack urges users to update to the patched version promptly. With the release of the update, the vulnerability may attract attempts at exploitation, and no workaround exists—updating is the only recommended solution. Details on the vulnerability and methods of exploitation have been withheld temporarily to allow users time to install the updates.

Separately, Patchstack has alerted users to a critical elevation of privilege (EoP) vulnerability in the LiteSpeed Cache WordPress plugin, which boasts six million installations. Identified as CVE-2024-50550, this vulnerability stems from weak hash validation in the plugin’s “role simulation” function. This function, designed to allow a scanner to simulate different user roles, utilizes weak security hash values stored in cookies, which are predictable due to limited randomness. Despite the hash values being 32 characters long, an attacker could potentially brute-force them to within one million combinations. Successful exploitation would enable an attacker to assume the role of an administrator, potentially leading to unauthorized actions such as installing arbitrary plugins or malware, accessing internal databases, or editing pages.

This vulnerability was discovered by a Taiwanese researcher and reported to Patchstack on September 23, 2024. After a fully functional proof of concept (PoC) was completed on October 10th, Patchstack contacted LiteSpeed Technologies, which released a fix in version 6.5.2 of the plugin on October 17th. The update enhances the randomness of the hash function values, significantly mitigating the risk of brute force attacks. Since the release of the patch, about 2 million sites have updated, but approximately 4 million remain vulnerable.

GitLab

GitLab has released critical patches for its Community Edition (CE) and Enterprise Edition (EE) versions, specifically releases 17.4.2, 17.3.5, and 17.2.9. These updates address a total of eight vulnerabilities, categorized by their severity levels. One vulnerability is rated as critical, four as high severity, two as medium severity, and one as low severity.

The critical vulnerability, identified as CVE-2024-9164 with a CVSS score of 9.6, affects GitLab EE across multiple versions from 12.5 up to the latest patched versions. This vulnerability enables pipelines to execute on arbitrary branches. Among the high-severity vulnerabilities are CVE-2024-8970 and CVE-2024-8977, both rated at 8.2 on the CVSS scale, followed by CVE-2024-9631 with a CVSS of 7.5, and CVE-2024-6530 at 7.3. The medium severity vulnerabilities are CVE-2024-9623, rated at 4.9, and another CVE-2024-9623, rated at 4.3. The lowest severity issue, CVE-2024-9596, has a CVSS of 3.7.

As of now, there have been no reports of these vulnerabilities being exploited in the wild.

IBM

A critical vulnerability has been discovered in IBM Power Systems servers that could potentially allow unauthorized access and complete control over affected systems. This vulnerability, identified as CVE-2024-45656, arises from the use of static credentials within the IBM Flexible Service Processor (FSP)—a key component tasked with managing and monitoring the hardware and firmware of the server. Assigned a CVSS score of 9.8, this flaw underscores the high severity and potential for significant malicious impact. An attacker with network access could exploit this vulnerability to gain FSP maintenance privileges, potentially leading to full server control. Such access could enable attackers to steal sensitive data, disrupt operations, or deliver malware.

This vulnerability impacts a broad spectrum of IBM Power Systems servers, including Power8, Power9, and Power10 models running certain firmware versions. Notably, all previous firmware versions for these products are also at risk, including those no longer supported officially by IBM. In response, IBM has released a critical security bulletin and is urging users to promptly update their FSP firmware. The necessary fixes are available for download via IBM Fix Central.

Given the severity of this issue, organizations utilizing IBM Power Systems are strongly advised to prioritize patching their systems to mitigate the risk of compromise.

NVIDIA

Nvidia has released urgent updates to address eight high-severity vulnerabilities affecting its graphics processor drivers for Windows and Linux, as well as its virtual graphics processing unit (vGPU) software. The company has patched five vulnerabilities in the Windows graphics drivers that allow an unprivileged user to execute out-of-range reads. These vulnerabilities, tracked from CVE-2024-0117 to CVE-2024-0121, could potentially be exploited for remote code execution (RCE), elevation of privilege (EoP), denial of service (DoS), information disclosure, and data manipulation.

Additionally, CVE-2024-0126 affects Nvidia’s GPU drivers for both Windows and Linux, enabling a privileged attacker to elevate privileges with similar consequences as the other vulnerabilities mentioned.

Updates have also been issued for Nvidia’s range of products including GeForce, NVIDIA RTX, Quadro, NVS, and Tesla across multiple driver branches: Windows R565, R560, R555, R550, and R535, as well as Linux R565, R550, and R535. It’s important to note that previous versions of the software might also be vulnerable.

Moreover, Nvidia has remedied two further vulnerabilities in its vGPU software. The first, CVE-2024-0127, found in the vGPU Manager GPU kernel driver, could allow a guest OS user to exploit improper input validation and potentially compromise the guest OS kernel. This vulnerability could lead to RCE, DoS, EoP, information disclosure, and data manipulation. The second vulnerability, CVE-2024-0128, located in the vGPU Manager itself, permits a guest OS user to access global resources, which could also lead to EoP, information disclosure, and data manipulation.

Nvidia advises users to apply these patches immediately to mitigate the risks associated with these vulnerabilities.

VMware

VMware is making a renewed effort to rectify a remote code execution (RCE) vulnerability in vCenter Server, initially discovered during the Matrix Cup 2024 held in June in the PRC. A previous attempt to patch this vulnerability, tracked as CVE-2024-38812 with a CVSS score of 9.8 out of 10, was not fully successful. The patches released on September 17, 2024, did not completely address the issue, which involves a heap overflow in the Distributed Computing Environment/Remote Procedure Call (DCERPC) protocol implementation within vCenter Server.

An attacker could exploit this vulnerability by sending a specially crafted network packet to vCenter Server, potentially leading to remote code execution.

In addition to the CVE-2024-38812 patch, VMware has also released a fix for another vulnerability, CVE-2024-38813, which has a CVSS score of 7.5 out of 10. This elevation of privilege (EoP) vulnerability can similarly be triggered by sending a specially crafted network packet. Users are urged to apply these patches promptly to protect their systems from potential exploits.

Atlassian

Atlassian has issued patches for high-severity vulnerabilities affecting its Bitbucket, Confluence, and Jira Service Management platforms. For Bitbucket Data Center and Server, a critical update has been released to address CVE-2024-21147, a vulnerability in the Java Runtime Environment (JRE) that could permit unauthorized access and modification of critical data.

The updates for Confluence Data Center and Server remedy four critical issues, including two vulnerabilities in the Moment.js JavaScript date library that were publicly disclosed in 2022. These are CVE-2022-24785 and CVE-2022-31129, identified as path traversal and regular expression denial of service (ReDoS) vulnerabilities respectively, both of which can be exploited without authentication. Additionally, Atlassian has patched CVE-2024-4367, an XSS vulnerability that allows authenticated attackers to execute arbitrary HTML or JavaScript code in a user’s browser, and CVE-2024-29131, an Apache Commons configuration issue that could result in a denial of service (DoS).

For Jira Service Management Data Center and Server, the update addresses CVE-2024-7254, a Protobuf buffer overflow issue that could potentially disrupt service availability.

As of now, there have been no reports of these vulnerabilities being exploited in the real world.

Samsung

Samsung has issued updates to address CVE-2024-44068, a vulnerability in devices equipped with Exynos processors, specifically within the m2m1shot_scaler0 driver used for image and video processing. This use-after-free vulnerability, discovered by Google researchers, has been assigned a CVSS rating of 8.1 and impacts devices containing Exynos 9820, 9825, 980, 990, 850, and W920 processors.

Google has reported that this zero-day was exploited as part of a broader exploit chain. It originated from a memory corruption issue that allowed attackers to access and execute malicious code on previously freed memory locations. The exploit involved the misuse of PFNMAP pages, which were erroneously bound to virtual I/O pages. Attackers could exploit this flaw via IOCTL calls to manipulate the driver, enabling a kernel space mirroring attack. This could potentially lead to the overwriting of kernel page tables and allow attackers to perform arbitrary operations with system privileges. The attack could be executed using mmap and mincore system calls, which trace the binding of memory to I/O pages and inadvertently release memory, leaving the driver to operate on invalid pages.

In response, Samsung has revised the object reference management for PFNMAP pages in the affected drivers to prevent the reuse of freed memory, effectively mitigating the vulnerability. The security update, SMR-Oct-2024, has been made available for all affected devices, and users are strongly encouraged to install this update promptly to reduce the risk of potential exploitation.

Kubernetes

A critical vulnerability in Kubernetes has been identified that could allow unauthorized SSH access to virtual machines running images created using the Kubernetes Image Builder. This vulnerability, designated CVE-2024-9486, affects virtual machine images crafted using the Proxmox vendor in versions of Image Builder up to 0.1.37. The issue arises from the use of default credentials during the image creation process, which are not subsequently disabled, providing an attacker with the opportunity to use these credentials to gain root access via SSH.

To mitigate this vulnerability, users are advised to rebuild the affected virtual machine images using Kubernetes Image Builder version v0.1.38 or later. This updated version introduces a randomly generated password during the build process and disables the default builder account. If upgrading is not immediately feasible, users can temporarily secure their systems by disabling the builder account with the command: usermod -L builder.

This vulnerability also affects images created with other platforms such as Nutanix, OVA, QEMU, or raw formats. However, the risk is considered moderate for these platforms due to additional conditions needed for successful exploitation. Known alternatively as CVE-2024-9594, the vulnerability is exploitable only during the build process and requires that an attacker gain access to the virtual machine that is creating the image and perform specific actions to preserve the default credentials for later use. The same mitigation recommendations provided for CVE-2024-9486 apply to CVE-2024-9594.

GitHub

GitHub has issued a warning regarding a patch for a critical vulnerability in its Enterprise Server that could potentially allow unauthorized access. The bug, tracked as CVE-2024-9487 with a CVSS score of 9.5, was identified in May 2024 during the development of a patch for another critical vulnerability, CVE-2024-4985. This earlier issue involved an authentication bypass that allowed attackers to spoof SAML responses and gain administrative access.

CVE-2024-9487 represents a variant of the original bug, similarly resulting in an authentication bypass. It specifically allows attackers to bypass the SSO SAML single sign-on authentication when the optional encrypted assertions feature is used, due to improper verification of cryptographic signatures in GitHub Enterprise Server. It is important to note that encrypted assertions are not enabled by default. Instances of Enterprise Server that do not use SAML SSO or that use authentication without encrypted assertions remain unaffected. Moreover, exploiting this vulnerability would require an attacker to have direct network access and a signed SAML response or metadata document.

The resolution for this issue has been implemented in GitHub Enterprise Server versions 3.11.16, 3.12.10, 3.13.5, and 3.14.2. These updates also address a medium-severity information disclosure issue, tracked as CVE-2024-9539, which could be exploited through malicious SVG files. For successful exploitation, an attacker would need to lure a user into clicking on a URL linked to a downloaded asset, potentially allowing the attacker to access user metadata and create a phishing page.

These vulnerabilities were discovered through GitHub’s BugBounty program, and there have been no reported real-world exploitations. Additionally, version 3.14.2 of GitHub Enterprise Server enhances security by removing the functionality that allowed copying repository settings from actions in the admin console, which previously could expose sensitive data in HTML forms.

How To Efficiently Patch All of These Vulnerabilities And More

Want to learn about newly released updates as soon as they are available? With Action1, you can — as well as streamline the entire patch management process, from identifying missing updates to compliance reporting, across both Windows OS and third-party software.

Webinar Recording: November 2024 Vulnerability Digest from Action1