Post-Patch Tuesday Roundup: August 2024

Preeti Nandal

Cyber Security Assessor

In this edition, we will focus on the patches by Microsoft, Adobe, Cisco, Fortinet, SAP, and Ivanti.

Multiple zero-day vulnerabilities have been discovered, and a significant number of them are reported to have been exploited in the wild.

Microsoft

August is here, and so is another round of security updates from Microsoft. This month, the software giant has fixed 90 vulnerabilities across various products and services. This includes 10 zero-days, 6 of which are known to have been actively exploited in the wild.

The bulk of the patches mainly relate to Windows, Office, .NET, Azure, Co-Pilot, Dynamics, Teams, and Secure Boot.

In this blog post, I will give you an overview of some of the most significant vulnerabilities that Microsoft has addressed in this Patch Tuesday.

1. CVE-2024-38178 – This is a zero-day vulnerability, and it covers a memory corruption vulnerability in the Microsoft Scripting Engine that can allow an attacker to execute arbitrary code in the context of the current user using Edge in IE mode. This attack works by convincing a user to visit a specially crafted website, leading to arbitrary code execution. It is rated as Important and has a CVSS score of 7.8. Since this is known to have been exploited in the wild, users should look to patch this vulnerability as soon as possible to prevent potential exploitation.

2. CVE-2024-38193 – This is an Elevation of Privilege (EoP) vulnerability in the Windows Ancillary Function Driver for WinSock (afd.sys). This vulnerability allows an attacker to gain SYSTEM privileges on the affected system. The attack method involves leveraging a flaw in the Windows Ancillary Function Driver, which serves as a kernel entry point for the Winsock API. The vulnerability is known to be exploited in the wild, therefore users are urged to patch this as soon as possible.

3. CVE-2024-38106 – This is an EoP vulnerability in the Windows Kernel. This vulnerability is similar to the one outlined above, in that it allows an attacker to gain SYSTEM level privileges on the affected system. This attack method involves exploiting a race condition in the Windows Kernel. A race condition occurs when the timing of events affects the program’s behaviour, potentially leading to unexpected outcomes. In this case, an attacker can exploit the race condition to escalate their privileges to SYSTEM level, which is the highest level of access on a Windows system. This could allow the attacker to install programs, view, change, or delete data, or create new accounts with full user rights. Microsoft recommends patching as soon as possible as this exploit has been detected in the wild.

4. CVE-2024-38107 – This is another critical EoP vulnerability but this time affecting the Windows Power Dependency Coordinator (similar concept to standby for televisions), with a CVSSv3 score of 7.8. This vulnerability allows attackers to gain elevated privileges, potentially leading to full control over the compromised system. It has been exploited in the wild as a zero-day, making it particularly dangerous.

5. CVE-2024-38189 – This is a Remote Code Execution (RCE) vulnerability in Microsoft Project that can allow an attacker to execute arbitrary code remotely, potentially leading to full control over the affected system. For this attack to be successful, the system needs to be set up with the "Block macros from running in Office files from the Internet policy" turned off and also have the "VBA Macro Notification Settings" deactivated. The possibility of attack via Email and Web makes it critical with a CVSS score of 8.8.

6. CVE-2024-38213 – This is a security feature bypass vulnerability in Windows that can allow an attacker to bypass the “Mark of the Web” (MOTW) security feature, which marks files downloaded from the Internet as untrusted. The attack method involves tricking a user into opening a specially crafted file, which could be hosted on a file server, website, or sent via a phishing email. Although it has a CVSS score of only 6.5, it is known to have been exploited in the wild and has a low attack complexity, therefore it is recommended to patch this as soon as possible.

Adobe

Adobe has released 11 patches this month, addressing 71 vulnerabilities. Fourteen of these vulnerabilities were reported through the ZDI initiative. A major chunk was dedicated to Adobe Commerce. Adobe has assigned all of these updates a deployment priority rating of 3, meaning they relate to a product that has historically not been a target for attackers. The applications in question are:

· Adobe Photoshop, Substance 3D stager, InCopy, and Substance 3D Designer – 1 Critical

· Adobe Illustrator – 1 Critical and 6 Important

· Adobe Dimension – 3 Critical and 3 Important

· Adobe Bridge – 2 Critical and 1 Moderate

· Adobe Substance 3D Sampler – 1 Critical and 3 Important

Cisco

Cisco has so far released 6 advisories for 8 vulnerabilities in August, with the impact ratings ranging from Medium to Critical. The Critical vulnerabilities relate to Cisco SSM On-Prem password change and Cisco Small business SPA 300 series and SPA 500 series IP phones web UI.

Cybersecurity and Infrastructure Security Agency (CISA) advises organisations to review their Cisco device configurations. This includes disabling ‘Cisco Smart Install’ and reviewing NSA’s Smart Install Protocol Misuse advisory and Network Infrastructure Security Guide for configuration guidance.

Additionally, ‘Type 8’ password protection is recommended for all Cisco devices to protect passwords within configuration files. More guidance from CISA can be found here.

Fortinet

Fortinet has addressed 3 vulnerabilities in August: 2 Medium, and 1 Low severity. The Medium severity vulnerabilities are:

1. CVE-2024-21757 – This is an unverified password change vulnerability in Fortinet FortiManager and FortiAnalyzer versions 7.0.0 through 7.0.10, 7.2.0 through 7.2.4, and 7.4.0 through 7.4.1. It allows an attacker to modify admin passwords via the device configuration backup.

2. CVE-2024-36505 – This is an improper access control vulnerability in FortiOS versions 7.4.0 through 7.4.3, 7.2.5 through 7.2.7, 7.0.12 through 7.0.14, and 6.4.x. It allows an attacker who has already obtained write access to the underlying system to bypass the file integrity checking system

SAP

SAP has released 17 new security notes and 8 updates to previous security notes. 6 of these CVEs are rated “High” or “Hot News” (Very High). The products affected by the high to very high rated CVEs are:

· SAP BusinessObjects Business Intelligence Platform

· SAP Build Apps

· SAP BEx Web Java Runtime Export Web Service

· SAP S/4 HANA

· SAP NetWeaver AS Java

· SAP Commerce Cloud

Ivanti

Ivanti has released security updates to address vulnerabilities in the following software:

· Security Advisory: Ivanti Avalanche

· Security Advisory: Ivanti Neurons for ITSM

· Security Advisory: Ivanti Virtual Traffic Manager (vTM)

Noteworthy Vulnerabilities

“0.0.0.0 Day” - Cybersecurity experts have identified an 18-year-old browser vulnerability which affects MacOS and Linux users but spares Windows (due to Microsoft’s OS-level block). This flaw arises due to how web browsers manage HTTP requests to 0.0.0.0, allowing malicious sites to access local network services and potentially execute arbitrary code remotely.

The vulnerability, present in major browsers like Google Chrome, Mozilla Firefox, and Apple Safari, exploits public domains to interact with local services, circumventing security measures like Private Network Access (PNA). This security gap, which has existed unnoticed since 2006, is particularly alarming due to its simplicity and the broad access it grants to attackers.

In response to this, browsers are improving their security standards by blocking access to 0.0.0.0 completely, and the HTTP Fetch specification is being updated to prevent this address from being a target IP in Fetch requests.