Initiatives for
As the national authority for Cybersecurity the CCB has developed several initiatives for specific publics which are presented here.
WARNING: MICROSOFT PATCH TUESDAY, OCTOBER 2024 PATCHES 117 VULNERABILITIES (3 CRITICAL, 113 IMPORTANT, 1 MODERATE), PATCH IMMEDIATELY!
Image
Published : 11/10/2024
Reference:
Advisory #2024-238
Version:
1.1
Affected software:
Microsoft Products
Type:
Several types, ranging from Information Disclosure to Remote Code Execution and Privilege Escalation.
CVE/CVSS:
Microsoft patched 117 vulnerabilities in its October 2024 Patch Tuesday release, with 3 rated as critical, 113 rated important, and 1 moderate, including 4 0-day vulnerabilities and 2 vulnerabilities that are actively exploited.Number of CVEs by type:
- 42 Remote Code Execution vulnerabilities
- 28 Elevation of Privilege vulnerabilities
- 26 Denial of Service vulnerabilities
- 7 Spoofing vulnerabilities
- 7 Security Feature Bypass vulnerabilities
- 6 Information Disclosure vulnerabilities
- 1 Tampering vulnerability
Sources
https://msrc.microsoft.com/update-guide/en-us/releaseNote/2024-OCT
Risks
Microsoft's October 2024 Patch Tuesday includes 117 vulnerabilities (3 critical, 113 important and 1 moderate) for a wide range of Microsoft products, impacting Microsoft Server and Workstations. This Patch Tuesday includes two actively exploited vulnerabilities and four 0-Days. Some other vulnerabilities are also more likely to be exploited soon; therefore, urgent patching is advised.
Description
Microsoft has released multiple patches for vulnerabilities covering a range of their products. These
monthly releases are called "Patch Tuesday" and contain security fixes for Microsoft devices and
software.
The CCB would like to point your attention to the following vulnerabilities:
CVE-2024-43572: Microsoft Management Console (Actively exploited – Zero-
day)
Remote Code Execution Vulnerability. An attacker could exploit this CVE by convincing a vulnerable
target through social engineering tactics to open a specially crafted file. Successful exploitation would
allow the attacker to execute arbitrary code. According to Microsoft, CVE-2024-43572 was exploited in
the wild as a zero-day. The vulnerability was assigned a CVSSv3 score of 7.8, rated as important.
Microsoft also patched another RCE vulnerability, CVE-2024-38259, in the Microsoft Management
Console. This vulnerability was patched in their September 2024 Patch Tuesday.
CVE-2024-43573: Windows MSHTML Platform (Actively exploited – Zero-day)
Spoofing Vulnerability. An unauthenticated, remote attacker could exploit this vulnerability by
convincing a potential target to open a malicious file. According to Microsoft, this vulnerability was
exploited in the wild as a zero-day. The vulnerability was assigned a CVSSv3 score of 6.5 and rated
moderate. Note that this is Microsoft's fourth zero-day vulnerability patched in the Windows MSHTML
Platform. The (older) vulnerabilities CVE-2024-30040, CVE-2024-38112 and CVE-2024-43461 were
already patched in previous Microsoft Patch Tuesdays. CVE-2024-38112 and CVE-2024-43461 were
used as part of an exploit chain by an advanced persistent threat (APT) actor known as Void Banshee.
CVE-2024-43583: Winlogon (Zero-day)
Elevation of Privilege Vulnerability. A local, authenticated attacker could exploit this vulnerability to
gain SYSTEM privileges. The vulnerability was assigned a CVSSv3 score of 7.8, rated as important. This
vulnerability was also publicly disclosed before a patch was made available. Microsoft advises an extra
action in addition to patching this vulnerability. You should ensure that a Microsoft first-party IME is
enabled on your device. Doing so can help protect your device from potential vulnerabilities associated
with a third-party (3P) IME during the sign-in process.
CVE-2024-20659: Windows Hyper-V (Zero-day)
Security Feature Bypass Vulnerability. Successful exploitation would allow an attacker to bypass a
Virtual Machine's Unified Extensible Firmware Interface (UEFI) on the host machine, compromising both
the hypervisor and secure kernel. It was assigned a CVSSv3 score of 7.1, is rated as important and
assessed as "Exploitation Less Likely" according to Microsoft. This is likely because successfully
exploiting this vulnerability requires multiple conditions, such as specific application behavior, user
actions, manipulation of parameters passed to a function, and impersonation of an integrity-level token.
The vulnerability can only be exploited if an attacker first gains access to a restricted network. The
vulnerability was publicly disclosed before a patch was made available.
CVE-2024-43468: Microsoft Configuration Manager
Remote Code Execution Vulnerability. An attacker can leverage this vulnerability without prior
authentication by sending a specially crafted request to a vulnerable machine, resulting in RCE on the
machine or its underlying database. This vulnerability received a critical CVSSv3 score of 9.8, but
according to Microsoft, it is listed as "Exploitation Less Likely".
CVE-2024-38124: Windows Netlogon
Remote Code Execution Vulnerability. An authenticated attacker with LAN access could exploit this
vulnerability by predicting the name of a new domain controller and renaming their computer to match it.
An attacker would need to establish and maintain a secure channel while renaming their computer to its
original name. Once the new domain controller is promoted, the attacker could use the secure channel
to impersonate the domain controller, potentially compromising the entire domain. This vulnerability
received a CVSSv3 score of 9 and is categorized as important.
CVE-2024-43582: Remote Desktop Protocol Server
Remote Code Execution Vulnerability. To exploit this vulnerability, an unauthenticated attacker must
send malformed packets to an RPC host. This could result in remote code execution on the server side
with the same permissions as the RPC service. This vulnerability received a CVSSv3 score of 8.1 but
is categorized as "Exploitation Less Likely". This is likely because successful exploitation requires an
attacker to win a race condition.
CVE-2024-43488: Visual Studio Code extension for Arduino
Remote Code Execution Vulnerability. This critical RCE vulnerability affects the Visual Studio Code
extension for Arduino. It received a CVSSv3 score of 8.8. The vulnerability allows attackers to execute
code remotely on affected systems through network-based attacks. As a form of mitigation, Microsoft
has removed the extension from its Visual Studio Code marketplace and deprecated it on October 1,
2024. Microsoft recommends its customers use Arduino IDE software instead. No action is needed for
this vulnerability.
CVE-2024-43533 & CVE-2024-43599: Remote Desktop Client
Remote Code Execution Vulnerability. In the case of a Remote Desktop connection, an attacker with
control of a Remote Desktop Server could trigger a remote code execution (RCE) on the RDP client
machine when a victim connects to the attacking server with the vulnerable Remote Desktop Client. The
vulnerabilities received a CVSSv3 score of 8.8. Because an attacker would need an already compromised server, this vulnerability is categorized as "Exploitation Less Likely".
CVE-2024-43532: Remote Registry Service
Elevation of Privilege: This high severity EoP vulnerability affect the Remote Registry Service. It received a CVSSv3 score of 8.8. An attacker could trigger an RPC call to an RPC host through a specially crafted script and gain SYSTEM privileges. A Proof-of-Concept (PoC) was released for this vulnerability, making this vulnerability more likely to be exploited.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.
Monitor/Detect
The CCB recommends that organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion. In case of an intrusion, you can report an incident via https://ccb.belgium.be/cert/report-incident
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
References
https://www.theregister.com/2024/10/08/patch_tuesday_october_2024/