Initiatives for
As the national authority for Cybersecurity the CCB has developed several initiatives for specific publics which are presented here.
WARNING: MICROSOFT PATCH TUESDAY AUGUST 2024 PATCHES 88 VULNERABILITIES (7 CRITICAL, 10 ZERO-DAY VULNERABILITIES INCLUDING 6 ACTIVELY EXPLOITED IN THE WILD). PATCH IMMEDIATELY!
Image
Published : 14/08/2024
Reference:
Advisory #2024-202
Version:
1.1
Affected software:
Multiple Microsoft software. For a detailed overview of affected products & technologies please consult https://msrc.microsoft.com/update-guide/releaseNote/2024-Aug.
Type:
Several types, ranging from Information Disclosure to Remote Code Execution and Privilege Escalation.
CVE/CVSS:
Microsoft patched 88 vulnerabilities in its August 2024 Patch Tuesday release, 7 rated as critical, 80 rated important, and 1 moderate; including 10 zero-days among which 6 are actively exploited.Number of CVEs by type:
- 36 Elevation of Privilege vulnerabilities
- 29 Remote Code Execution vulnerabilities
- 8 Information Disclosure vulnerabilities
- 7 Spoofing vulnerability
- 6 Denial of Service vulnerabilities
- 1 Security Feature Bypass vulnerability
- 1 Tampering vulnerability
Sources
Microsoft Patch Tuesday August 2024 - https://msrc.microsoft.com/update-guide/releaseNote/2024-Aug
Risks
Microsoft’s August 2024 Patch Tuesday includes 88 vulnerabilities (7 critical, 80 important, 1 moderate, 0 low) for a wide range of Microsoft products, impacting Microsoft Servers and Workstations.
This Patch Tuesday includes 10 zero-day vulnerabilities, 6 of which are actively exploited in the wild. These zero-day vulnerabilities target different Windows products and range from remote code execution and elevation of privilege to security feature bypass.
This month’s Patch Tuesday does not fix all reported zero-day vulnerabilities, but mitigation measures are made available online for those where a patch is not yet available.
Other notable CVEs include CVE-2024-38063, a remote code execution vulnerability abusing the Windows TCP/IP protocol to target IPv6 packets, CVE-2024-38141, an elevation of privilege vulnerability in Windows Ancillary Function Driver for WinSock, and CVE-2024-38153, an elevation of privilege vulnerability for Windows Kernel.
Description
Microsoft has released multiple patches for vulnerabilities covering a wide range of products.
These monthly releases are called “Patch Tuesday” and contain security fixes for Microsoft devices and software.
The CCB would like to point your attention to the following vulnerabilities:
Actively exploited vulnerabilities
CVE-2024-38178 – Windows Scripting Engine
Remote code execution vulnerability
According to Microsoft, the attack requires an authenticated client to click a link in order for an unauthenticated attacker to initiate remote code execution. This link must be clicked from a Microsoft Edge browser in Internet Explorer Mode.
While these requirements limit the exploitability of this CVE, the South Korean National Cyber Security Center (NCSC) and AhnLab observed active exploitation.
CVE-2024-38193 - Windows Ancillary Function Driver for WinSock
Elevation of privilege vulnerability
An attacker who successfully exploits this vulnerability could gain SYSTEM privileges.
To note: Microsoft reported on CVE-2024-38141, a similar elevation of privilege vulnerability also affecting Windows Ancillary Function Driver for Winsock. While not actively exploited, Microsoft assesses the exploitability of CVE-2024-38141 as “More Likely”.
UPDATE 2024-12-12: CVE-2024-38193 is reported as actively exploited by Lazarus group. Furthermore a proof-of-concept (PoC) exploit is available increasing the likelihood of exploitation by both sophisticated and opportunistic threat actors. Patch immediately.
CVE-2024-38189 – Microsoft Office Project
Remote code execution vulnerability
Exploitation of this vulnerability requires 2 elements:
- The victim has to open a malicious Microsoft Office Project file, delivered via email or hosted on a compromised or actor-controlled website; and
- The victim’s system has disabled security features; namely “Block macros from running in Office files from the Internet” policy is disabled and the “VBA Macro Notification Settings” are not enabled.
CVE-2024-38213 – Windows Mark of the Web (MOTW)
Security Feature Bypass vulnerability
This vulnerability allows the attacker to create files that bypass the SmartScreen user experience. Windows Mark of the Web is an attractive target for threat actors who have repeatedly bypassed this security feature to conduct phishing campaigns.
Exploitation of this vulnerability requires the victim to open a malicious file.
CVE-2024-38106 – Windows Kernel
Elevation of privilege vulnerability
An attacker who successfully exploits this vulnerability could gain SYSTEM privileges. The attacker must win a race condition in order to successfully exploit this vulnerability.
To note: In this month’s Patch Tuesday, Microsoft also released fixes for 2 other important elevation of privilege vulnerabilities affecting Windows Kernel (CVE-2024-38133 and CVE-2024-38153). Attackers who exploit these vulnerabilities could gain SYSTEM privileges. Neither was detected as exploited in the wild yet, but Microsoft assesses CVE-2024-38153 would likely be exploited.
CVE-2024-38107 – Windows Power Dependency Coordinator
Elevation of privilege vulnerability
This vulnerability could give attackers SYSTEM privileges on the Windows device.
Zero-day vulnerabilities
CVE-2024-38199 – Windows Line Printer Daemon (LPD) Service
Remote code execution
This vulnerability allows the attacker to perform remote code execution on the server by sending a specially crafted print task to a shared vulnerable Windows Line Printer Daemon (LPD) service across a network.
To note, LPD is deprecated since Windows Server 2012 and is not installed or enabled by default.
CVE-2024-21302 – Windows Secure Kernel Mode
Elevation of privilege vulnerability
A flaw exists in Windows 10, Windows 11, Windows Server 2016, and higher based systems including Azure Virtual Machines that support Virtualization Based Security (VBS). An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.
This vulnerability enables an attacker with administrator privileges to replace current versions of Windows system files with outdated versions. By exploiting this vulnerability, an attacker could reintroduce previously mitigated vulnerabilities, circumvent some features of VBS, and exfiltrate data protected by VBS.
A fix is not yet available. In the meantime, Microsoft published mitigation measures including an opt-in revocation policy.
CVE-2024-38200 – Microsoft Office
Spoofing vulnerability
Exploitation of this vulnerability requires the victim to click on a specifically crafted file. It is important to note that an alternative fix was enabled via Feature Flighting on 30 July 2024 so that all in-support versions of Microsoft Office and Microsoft 365 are protected against this vulnerability. Microsoft recommends users still install the Patch Tuesday August 2024 update for a final version of the fix. In the meantime, Microsoft published mitigation measures.
CVE-2024-38202 – Windows Update Stack
Elevation of privilege vulnerability
A flaw in the Windows Update Stack enables an attacker with basic user privileges to reintroduce previously mitigated vulnerabilities or circumvent some features of Virtualization Based Security (VBS). However, for this exploit to be successful, an attacker attempting to exploit this vulnerability requires additional interaction by a privileged user. The attacker must have permissions to access the target's System directory to plant the malicious folder that would be used as part of the exploitation.
A fix is not yet available.
Other critical vulnerabilities
CVE-2024-38063 – Windows TCP/IP
Remote code execution
Successful exploitation of this CVE would allow an attacker to execute arbitrary code on the target system with SYSTEM privileges, therefore giving the attacker full control over the compromised machine.
This vulnerability affects all supported Windows and Windows Server versions, including Server Core installations.
This 0-click vulnerability can be remotely exploited by sending specially crafted IPv6 packets to a target host. It is important to note that only IPv6 packets can be abused. Systems are not affected if IPv6 is disabled on the target machine.
While not actively exploited, Microsoft has rated the vulnerability as “Exploitation More Likely”.
CVE-2024-38206 – Microsoft Copilot Studio
Information disclosure vulnerability
An authenticated attacker can bypass Server-Side Request Forgery (SSRF) protection in Microsoft Copilot Studio to leak sensitive information over a network.
This vulnerability is already fully mitigated by Microsoft.
CVE-2024-38109 – Azure Health Bot
Elevation of privilege vulnerability
An authenticated attacker can exploit an Server-Side Request Forgery (SSRF) vulnerability in Microsoft Azure Health Bot to elevate privileges over a network.
This vulnerability is already fully mitigated by Microsoft.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://ccb.belgium.be/cert/report-incident
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
References
Tenable - https://www.tenable.com/blog/microsofts-august-2024-patch-tuesday-addresses-88-cves
Bleeping Computer - https://www.bleepingcomputer.com/news/microsoft/microsoft-august-2024-patch-tuesday-fixes-9-zero-days-6-exploited/
The Hacker News - https://thehackernews.com/2024/08/microsoft-issues-patches-for-90-flaws.html
CISA - Actively exploited vulnerabilities added on 13 August 2024: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
Cybersecurity News - https://cybersecuritynews.com/0-click-rce-windows-tcp-ip/
Securityonline - https://securityonline.info/lazarus-group-exploits-microsoft-zero-days-cve-2024-38193-patch-urgently/
Securityonline - https://securityonline.info/windows-zero-day-vulnerability-cve-2024-38193-exploited-in-the-wild-poc-published/