Patch Tuesday September 2024 Updates – Vulnerability Digest from Action1
This digest explains the most serious vulnerabilities in popular Windows software that have been patched over the past month.
In this issue, you will learn about patches for:
- Microsoft vulnerabilities from Patch Tuesday:
- Microsoft Windows Update Remote Code Execution Vulnerability (CVE-2024-43491)
- Windows Installer Elevation of Privilege Vulnerability (CVE-2024-38014)
- Microsoft SharePoint Server Remote Code Execution Vulnerabilities (CVE-2024-38018 & CVE-2024-43464)
- Microsoft SQL Server Remote Code Execution Vulnerabilities Overview
- Third-party application vulnerabilities:
Microsoft Vulnerabilities
This Patch Tuesday, Microsoft has addressed 79 vulnerabilities, a slight decrease from last month, including seven critical ones. Four zero-days have been fixed, with one being critical and one of the zero-days having been publicly disclosed. Here are the details of the most significant critical updates.
Microsoft Windows Update Remote Code Execution Vulnerability (CVE-2024-43491)
The CVE-2024-43491 vulnerability (CVSS: 9.8) represents a critical remote code execution (RCE) issue in the servicing stack of Windows 10, specifically the initial version (1507) released in July 2015. This vulnerability emerged due to a rollback of fixes for certain previously mitigated vulnerabilities following the installation of security updates from March to August 2024. This rollback inadvertently occurred due to a code defect in the servicing stack triggered by build version numbers.
-
- Weakness (CWE-416: Use After Free): The core flaw is a “Use After Free” memory corruption issue where the system erroneously accesses freed memory, leading to potential undefined behavior or code execution.
- Root Cause: Beginning with the March 12, 2024 update (KB5035858), a code defect in the servicing stack for Windows 10 version 1507 misidentified Optional Components as “not applicable,” reverting them to their release-to-manufacturer (RTM) version and unintentionally rearming previously mitigated vulnerabilities.
- Affected Systems: Windows 10 Enterprise 2015 LTSB and Windows 10 IoT Enterprise 2015 LTSB, specifically systems that installed the mentioned updates between March and August 2024.
- Max Threat Severity: Critical
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Publicly Disclosed: No
- Exploited in the Wild: Yes
- Exploitability Assessment: Exploitation has been detected for previously addressed CVEs that were rolled back, but not specifically for CVE-2024-43491.
Attack Scenarios & Potential Impact
An attacker can exploit this vulnerability over the network without any user interaction or elevated privileges. Successful exploitation may lead to arbitrary code execution, enabling attackers to control the affected systems. Also, this RCE vulnerability could be combined with local privilege escalation exploits to deepen the attack’s impact, allowing attackers to move laterally within network infrastructure.
Given the widespread adoption and specific prolonged usage of LTSB versions, a significant number of enterprises worldwide could still be using these older systems, potentially exposing tens of thousands of devices to attacks. The “Use After Free” flaw arising from servicing stack issues highlights the cascading effects that can stem from an error in seemingly mundane system components. Moreover, while direct exploitation of CVE-2024-43491 hasn’t been publicly confirmed, the exposure risk remains high.
Windows Installer Elevation of Privilege Vulnerability (CVE-2024-38014)
CVE-2024-38014 is a zero-day vulnerability with a CVSS score of 7.8, classified as an important elevation of privilege (EoP) issue within the Windows Installer component. This vulnerability enables an attacker with low privileges to escalate their rights to SYSTEM-level, representing a significant security threat. The issue stems from improper privilege management in the Windows Installer, which is essential for the installation, maintenance, and removal of software on Windows systems.
-
- Weakness (CWE-269: Improper Privilege Management): The core weakness is the improper management of privilege escalation paths by the Windows Installer, allowing low-privilege users to perform high-privilege actions.
- Root Cause: The vulnerability arises because Windows Installer does not correctly manage privileges during certain operations, which can be exploited to obtain SYSTEM privileges.
- Affected Systems: This issue affects systems from Windows 10 and Windows Server 2008 onward, including new devices like Copilot+ that come with this version pre-installed.
- Max Threat Severity: Important
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Publicly Disclosed: No
- Exploited in the Wild: Yes
- Exploitability Assessment: There is evidence of exploitation in the wild.
Attack Scenarios & Potential Impact:
Successful exploitation grants SYSTEM privileges, allowing full control over the host system, including system modifications, arbitrary software installations, and potentially disabling security measures. When combined with other attack vectors, this EoP vulnerability can enable sophisticated and damaging intrusion campaigns, allowing attackers to potentially navigate through defenses and achieve administrative control.
It can act as a secondary stage in multi-vector attacks, where an initial breach through another vulnerability is escalated using CVE-2024-38014.
Given the Windows Installer’s critical role across various Windows versions, both enterprise environments and individual user devices are at risk, accounting for potentially thousands of vulnerable organizations and millions of devices. This is particularly crucial for new devices like Copilot+ running Windows 11, version 24H2, which ship with the vulnerable version pre-installed, posing significant exposure if not promptly updated.
Microsoft SharePoint Server Remote Code Execution Vulnerabilities (CVE-2024-38018 & CVE-2024-43464)
Continuing with critical vulnerabilities in Microsoft SharePoint, both CVE-2024-38018 and CVE-2024-43464 present significant remote code execution (RCE) risks within Microsoft SharePoint Server, stemming from a common weakness: deserialization of untrusted data (CWE-502). Despite their similarities, crucial differences in exploitability metrics and required privileges impact their potential exploitation scenarios.
CVE-2024-38018
-
- Weakness (CWE-502): This vulnerability arises from the system deserializing untrusted data, which could allow attackers to execute arbitrary code.
- CVSS Score: 8.8 / 7.7
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Publicly Disclosed: No
- Exploited: No
- Exploitability Assessment: Exploitation More Likely
- Weakness (CWE-502): This vulnerability arises from the system deserializing untrusted data, which could allow attackers to execute arbitrary code.
Attackers with at least “Site Member” permissions can exploit this vulnerability by crafting specially designed content, enabling them to execute remote code on the SharePoint Server without elevated privileges. Potential impact includes full system compromise, data exfiltration, or further lateral movement within the network.
CVE-2024-43464
-
- Weakness (CWE-502): Similar to CVE-2024-38018, this vulnerability results from unsafe deserialization practices.
CVSS Score: 7.2 / 6.3 - Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Publicly Disclosed: No
- Exploited: No
- Weakness (CWE-502): Similar to CVE-2024-38018, this vulnerability results from unsafe deserialization practices.
Attackers with “Site Owner” permissions or higher can upload a maliciously crafted file and trigger the deserialization flaw via specialized API requests to execute arbitrary code.
Differences Between CVE-2024-38018 and CVE-2024-43464
-
- CVE-2024-38018 is more accessible due to lower privilege requirements, thus carrying a slightly higher risk profile.
- CVE-2024-43464, while critical, requires higher privileges for exploitation, making it less likely to be exploited but still a significant risk.
- Both vulnerabilities can serve as initial footholds for more extensive campaigns. After initial compromise via low-privilege access (CVE-2024-38018), an attacker could elevate their privileges and use the necessary permissions (CVE-2024-43464) to maintain persistence and further extend their control within the SharePoint environment.
- These vulnerabilities could be used together with other exploits to exfiltrate sensitive information, manipulate documents, or install backdoors for future remote access.
- CVE-2024-38018 is more accessible due to lower privilege requirements, thus carrying a slightly higher risk profile.
Potential Impact:
Any organization using Microsoft SharePoint Server 2016 and higher is potentially at risk, especially those with extensive internal document management and collaboration systems. Given SharePoint’s widespread use in global enterprises, potentially tens of thousands of installations could be vulnerable.
Both CVE-2024-38018 and CVE-2024-43464 highlight the criticality of secure deserialization practices in enterprise software. The lower privilege requirement for CVE-2024-38018 makes it more readily exploitable, underscoring the need for stringent access controls even at lower levels. Conversely, CVE-2024-43464’s requirement for higher privileges indicates a reduced attack surface but still poses a significant risk for privileged insider threats or following an initial network intrusion.
Microsoft SQL Server Remote Code Execution Vulnerabilities Overview
This set of vulnerabilities pertains to Microsoft SQL Server, each presenting unique technical characteristics and potential impacts. Any organization using Microsoft SQL Server, particularly those with significant data storage and processing needs, is at risk. Given the global use of SQL Server across various industries, potentially millions of instances could be vulnerable.
All vulnerabilities enable an attacker to execute arbitrary code but differ in their root causes and technical weaknesses.
- CVE-2024-37340
- Weakness: Untrusted Pointer Dereference (CWE-822), leading to potential memory corruption and arbitrary code execution.
- CVSS Score: 8.8 / 7.7
- Attack Vector: Network
- Privileges Required: Low
- User Interaction: None
- Exploited: No
- Exploitability Assessment: Exploitation less likely
- Authenticated Attack: Attackers with authenticated access can exploit this vulnerability by leveraging SQL Server Native Scoring to apply pre-trained models.
- Weakness: Untrusted Pointer Dereference (CWE-822), leading to potential memory corruption and arbitrary code execution.
- CVE-2024-37339
- Weakness: Similar to CVE-2024-37340, involving an untrusted pointer dereference.
- Exploitability Assessment: Exploitation less likely
- Authenticated Attack: Attackers can exploit this vulnerability in a similar manner as CVE-2024-37340.
- Weakness: Similar to CVE-2024-37340, involving an untrusted pointer dereference.
- CVE-2024-37338
- Weakness: Out-of-bounds Read (CWE-125), potentially leading to arbitrary code execution.
- Authenticated Attack: Attackers can exploit the vulnerability by leveraging authenticated access to use SQL Server Native Scoring.
- Weakness: Out-of-bounds Read (CWE-125), potentially leading to arbitrary code execution.
- CVE-2024-37335
- Weakness: Heap-based Buffer Overflow (CWE-122), which can corrupt memory and lead to arbitrary code execution.
- Authenticated Attack: Exploitation involves authenticated access and using SQL Server Native Scoring.
- Weakness: Heap-based Buffer Overflow (CWE-122), which can corrupt memory and lead to arbitrary code execution.
- CVE-2024-26191
- Weakness: Heap-based Buffer Overflow (CWE-122), similar to CVE-2024-37335.
- Authenticated Attack: Attackers use a similar method to exploit this vulnerability by leveraging SQL Server Native Scoring.
- Weakness: Heap-based Buffer Overflow (CWE-122), similar to CVE-2024-37335.
- CVE-2024-26186
- Weakness: Use After Free (CWE-416), a memory safety issue that can lead to arbitrary code execution.
- Authenticated Attack: The attack method follows the same pattern as the other vulnerabilities, using authenticated access to SQL Server Native Scoring.
- Weakness: Use After Free (CWE-416), a memory safety issue that can lead to arbitrary code execution.
Differences Between the Vulnerabilities
-
- CVE-2024-37340 & CVE-2024-37339: Both involve Untrusted Pointer Dereference (CWE-822).
- CVE-2024-37338: Involves Out-of-bounds Read (CWE-125).
- CVE-2024-37335 & CVE-2024-26191: Both involve Heap-based Buffer Overflow (CWE-122).
- CVE-2024-26186: Involves Use After Free (CWE-416).
- CVE-2024-37340 & CVE-2024-37339: Both involve Untrusted Pointer Dereference (CWE-822).
The primary differences among these vulnerabilities lie in the type of memory corruption and technical weakness, although all enable remote code execution.
These vulnerabilities underscore the persistent risks associated with handling data securely in SQL Server environments. Regular patching and updating, along with stringent access controls, are critical for mitigating the risk of remote code execution and protecting sensitive organizational data from compromise. Additionally, consistent application of security updates like GDR and CU is crucial to shield against known vulnerabilities and future threats that may exploit similar weaknesses.
Google Chrome
Google has issued a warning about a newly exploited high-severity vulnerability in Chrome, which has been addressed in the latest Chrome version 128. This comes shortly after a stable release of Chrome 128, which fixed a zero-day vulnerability; now, another bug fixed in the same update is also being exploited in the wild.
The vulnerability, identified as CVE-2024-7965 with a CVSS score of 8.8, involves an improper implementation in the JavaScript V8 engine. This flaw allows a remote attacker to cause heap corruption through specially crafted HTML pages. If a user visits a compromised or malicious webpage, this vulnerability could enable an attacker to execute code or access sensitive information. Although Google has confirmed the exploitation of this vulnerability, the company has not specified whether it was initially exploited as a zero-day.
This issue also potentially affects other web browsers that utilize the Chromium engine, such as Edge and Opera. CVE-2024-7965 impacts Chrome versions up to 128.0.6613.84, a version that also includes patches for 37 other vulnerabilities. Among these is CVE-2024-7971, a type confusion bug in the V8 engine that was indeed exploited as a zero-day. CISA has provided evidence that CVE-2024-7971 was exploited in a campaign by North Korea’s Citrine Sleet.
Mozilla Firefox
In Firefox version 130, 13 vulnerabilities have been addressed, with seven classified as dangerous. Five of these dangerous vulnerabilities stem from memory issues, such as buffer overflows and accessing previously freed memory areas. These vulnerabilities could potentially allow the execution of an attacker’s code when opening specially crafted pages. Additionally, two dangerous issues are related to type confusion.
Here are the top three notable vulnerabilities:
-
- CVE-2024-8385: WASM Type Confusion Involving ArrayTypes (CVSS 9.8). This vulnerability originates from a type confusion issue in WebAssembly (WASM) that arises due to differences in handling StructFields and ArrayTypes. This confusion can lead to incorrect memory access and manipulation, potentially allowing an attacker to execute arbitrary code within the browser’s context. The high impact of this vulnerability could lead to severe consequences such as data exfiltration, system compromise, or complete hijacking of the user session.
- CVE-2024-8381: Type Confusion When Looking Up a Property Name in a “with” Block (CVSS 9.8). This vulnerability is caused by the JavaScript engine’s improper handling of property names within a “with” block, resulting in a type confusion scenario. This could lead to arbitrary code execution if an attacker crafts JavaScript that exploits the type confusion, compromising the browser’s security mechanisms.
- CVE-2024-8388: Fullscreen Notice on Android Could Be Hidden Under Various Panels and OS Prompts (CVSS 5.3). On Android devices, certain Firefox and OS prompts and panels can obscure the fullscreen notification, creating potential for UI spoofing. This vulnerability allows a malicious website to disguise phishing attempts or other malicious activities by hiding essential UI elements, misleading the user. This vulnerability follows a similar issue previously identified as CVE-2023-6870.
Veeam
Veeam has issued security updates to address 18 high and critical severity vulnerabilities across its products, including Veeam Backup & Replication, Service Provider Console, and One.
The most critical issue resolved is CVE-2024-40711, a remote code execution vulnerability in Veeam Backup & Replication, which has a CVSS v3.1 score of 9.8. This vulnerability could potentially be exploited without authentication. According to Veeam, there is no evidence that these vulnerabilities have been exploited in the wild.
GitHub
A critical vulnerability impacting multiple versions of GitHub Enterprise Server has been identified, which allows for authentication bypass, potentially granting an attacker administrator privileges. This vulnerability, designated as CVE-2024-6800, has a CVSS 4.0 score of 9.5.
The vulnerability is an XML signature wrapping issue that enables attackers to spoof Security Assertion Markup Language (SAML) responses. Specifically, on GitHub Enterprise Server instances that utilize SAML single sign-on (SSO) authentication with certain Identity Providers (IdPs), an attacker could forge a SAML response to access a user account with site administrator privileges.
According to the FOFA search engine, over 36,500 GitHub Enterprise Server (GHES) instances are currently accessible online, with the majority—approximately 29,200—located in the U.S. It remains unclear how many of these instances are running the vulnerable version.
GitHub has addressed this issue in GHES versions 3.13.3, 3.12.8, 3.11.14, and 3.10.16. Alongside this fix, the updates also address two other medium-severity vulnerabilities:
- CVE-2024-7711 (CVSS: 5.3): an authorization vulnerability that allows an attacker to modify the header, responsible parties, and labels of any issue in a public repository.
- CVE-2024-6337 (CVSS: 5.9): an authorization vulnerability permitting an attacker to access content from a closed repository via a GitHub application.
GitHub has issued a warning that some services may generate errors during the configuration process after applying these security updates, though the instance should still start up correctly.
Fortra FileCatalyst
Fortra has issued a warning about a critical vulnerability involving a hard-coded password in FileCatalyst Workflow. This vulnerability allows unauthorized access to the internal Workflow HyperSQL database (HSQLDB), enabling data theft and the ability to gain administrator privileges.
The security flaw allows attackers to use the database credentials to create new administrator users, thus granting them full control over the FileCatalyst Workflow application. The issue, tracked as CVE-2024-6633 with a CVSS v3.1 score of 9.8, affects FileCatalyst Workflow 5.1.6 Build 139 and earlier versions. Users are strongly advised to upgrade to version 5.1.7 or later to mitigate this risk.
Fortra’s security bulletin notes that HSQLDB is intended only for use during the installation process and is not meant for production use. The company recommends that users switch to alternative database solutions post-installation. Those who have not switched to an alternate database as recommended remain at risk from any source capable of reaching HSQLDB.
Currently, there are no mitigation methods or workarounds available, and system administrators are urged to apply the security updates immediately.
CVE-2024-6633 was identified by researchers from Tenable on July 1, 2024, after discovering the static password “GOSENSGO613” in all FileCatalyst Workflow deployments. Tenable has clarified that the internal HSQLDB is remotely accessible via TCP port 4406 under the product’s default settings, highlighting the critical nature of this vulnerability.
It is important to note that end users cannot change this password through conventional means; the only solution is upgrading to version 5.1.7 or later. The high level of access, ease of exploitation, and the significant potential for cybercriminals to leverage CVE-2024-6633 make this an extremely dangerous vulnerability for FileCatalyst Workflow users.
This situation underscores the importance of timely security updates, especially as Fortra solutions are often targeted by attackers, and critical vulnerabilities can lead to widespread compromises across multiple corporate networks simultaneously.
Microsoft Downdate
SafeBreach researcher Alon Leviev has developed a tool called Windows Downdate, which facilitates version downgrade attacks on modern systems, including Windows 10, Windows 11, and Windows Server. Such attacks enable perpetrators to force fully-updated devices to revert to older software versions, reintroducing vulnerabilities that can be exploited to compromise the system.
Windows Downdate is available both as a Python-based open-source program and a pre-compiled Windows executable.
Leviev has also outlined use cases for the tool that enable downgrades of various components such as the Hyper-V hypervisor (to a version two years old), the Windows kernel, NTFS driver, Filter Manager driver (to their base versions), and other Windows components, including previously applied security patches. The tool provides straightforward examples for rolling back patches for vulnerabilities like CVE-2021-27090, CVE-2022-34709, CVE-2023-21768, and PPLFault, as well as for downgrading hypervisor, kernel, and UEFI VBS locks.
At the Black Hat 2024 conference, Leviev demonstrated a Windows Downdate downgrade attack exploiting CVE-2024-21302 and CVE-2024-38202.
The use of Windows Downdate is particularly insidious as it goes undetected by Enterprise Detection and Response (EDR) systems, and the Windows Update Center will still report the target system as up-to-date, despite the downgrades.
While Microsoft released an update on August 7 to address the Windows Secure Kernel Mode privilege escalation vulnerability CVE-2024-21302, there remains no patch for CVE-2024-38202, a privilege escalation vulnerability within the Windows update stack.
In the absence of a patch for CVE-2024-38202, Microsoft recommends that customers adhere to best practices for safeguarding against Windows downgrade attacks.
Adobe
Adobe has released a comprehensive update package addressing 72 vulnerabilities, alerting users on Windows and macOS about the potential risks of remote code execution (RCE), memory leaks, and denial-of-service (DoS) attacks.
In Acrobat Reader, 12 vulnerabilities have been patched, with 8 classified as critical. Notably, at least four of these vulnerabilities were actively exploited in real-world scenarios.
For Adobe Commerce, among the 23 vulnerabilities addressed, 7 are considered critical. This includes CVE-2024-39397, which has a CVSS score of 9.0 and pertains to an RCE vulnerability that allows an unauthenticated user to download files.
Ivanti
Ivanti has announced the patching of new critical vulnerabilities in its products Neurons for ITSM, Avalanche, and Virtual Traffic Manager (vTM), addressing a series of potential security issues and attacks.
In Neurons for ITSM, two key vulnerabilities have been resolved. The first, an information disclosure issue identified as CVE-2024-7569 with a CVSS score of 9.6, could allow an unauthenticated attacker to obtain an OIDC client secret through debugging information. The second vulnerability, CVE-2024-7570 with a CVSS score of 8.3, involves improper certificate validation that could enable a remote attacker in a man-in-the-middle (MiTM) position to create a token granting any user access to ITSM.
In Virtual Traffic Manager, the critical vulnerability CVE-2024-7593, with a CVSS score of 9.8, which allowed remote attackers to bypass authentication and create an administrator account in the admin panel, has been patched.
Additionally, Ivanti has released patches for five high-severity vulnerabilities in Avalanche, which include four vulnerabilities that permit unauthenticated attackers to conduct denial-of-service (DoS) attacks or read arbitrary files on the server. While Ivanti has not identified any real-world exploitation of these vulnerabilities, a proof of concept (PoC) is available for the critical vulnerability in vTM.
Industrial Control Systems
Leading Industrial Control System (ICS) vendors Siemens, Schneider Electric, Rockwell Automation, and Aveva have issued their monthly security advisories for ICS.
Siemens has released nine advisories covering approximately 50 vulnerabilities. Around 30 of these flaws were found in the SINEC Network Management System (NMS), receiving critical and high severity ratings. Most vulnerabilities pertain to third-party components, including CVE-2023-44487, which has been exploited in large-scale HTTP/2 Rapid Reset DDoS attacks. Siemens has also addressed high-risk vulnerabilities leading to remote code execution (RCE), denial of service (DoS), or information disclosure in multiple products, including Intralog WMS, Teamcenter Visualization, JT2Go, NX, Scalance M-800, Sinec Traffic Analyzer, and Comos. Additionally, medium severity issues related to password protection in Location Intelligence and Logo have been rectified.
Schneider Electric has introduced two bulletins. The first highlights a vulnerability in EcoStruxure Machine SCADA Expert and Blue Open Studio stemming from an issue in an Aveva component, potentially leading to privilege escalation. The second bulletin details a high-severity DoS vulnerability in Accutech Manager software, which affects the configuration and monitoring of Accutech wireless sensors and can be exploited without authentication.
Aveva has reported three new alerts, all marked with high severity. These address a DoS vulnerability in SuiteLink Server, code execution and file manipulation errors in Aveva Reports for Operations, and a SQL injection bug in Historian Server.
Rockwell Automation has announced nine new advisories addressing 10 vulnerabilities with medium to high severity levels. These include RCE vulnerabilities in AADvance and FactoryTalk products, DoS vulnerabilities in CompactLogix, GuardLogix, ControlLogix, and Micro controllers. Furthermore, Rockwell has resolved an authentication bypass issue in DataMosaix, a DLL hijacking vulnerability in Emulate3D, and an unencrypted data issue in Pavilion8.
How To Efficiently Patch All of These Vulnerabilities And More
Want to learn about newly released updates as soon as they are available? With Action1, you can — as well as streamline the entire patch management process, from identifying missing updates to compliance reporting, across both Windows OS and third-party software.
