Post-Patch Tuesday Roundup: July 2024 | Softcat
Skip to main content

Login to eCAT

Customer Support
Contact Sales
Blog

Post-Patch Tuesday Roundup: July 2024

Welcome to the Softcat Patch Tuesday roundup for July 2024, where I’m excited to offer insight into the significant patches released this month. In this edition, we will focus on the patches by Microsoft, Adobe, Cisco, Fortinet, SAP, and VMware.

Post patch tuesday image 1

David Hewson

Cyber Assessment Team Leader

Microsoft

In their July Patch Tuesday release, Microsoft addressed 142 vulnerabilities, 5 of which were rated as Critical and 4 zero-day vulnerabilities. The patches cover a wide array of applications and services, including Windows, Visual Studio, Exchange, .Net, Office, SharePoint, Azure, and more.

This month's vulnerabilities chiefly revolve around Remote Code Execution (RCE), Elevation of Privilege (EoP), and Security Feature Bypass. Outlined below are some of the more critical/important vulnerabilities detailed in this month’s Patch Tuesday:

Critical

1. CVE-2024-38060 – This is a Remote Code Execution vulnerability in the Windows Imaging Component that can allow an attacker to execute arbitrary code on the affected system. It has a CVSS score of 8.8 and is rated as Critical. An authenticated attacker could exploit the vulnerability by uploading a malicious TIFF file to a server.

Important (1 & 2 are both active zero-day exploits, whilst 2 & 4 are two publicly disclosed exploits)

1. CVE-2024-38080 – This is an Elevation of Privilege vulnerability in Windows Hyper-V that can allow an attacker to gain SYSTEM privileges. It has a CVSS score of 7.8 and is rated as Important. The attack method involves exploiting an integer overflow or wraparound weakness (CWE-190) with a low attack complexity and does not require user interaction.

2. CVE-2024-38112 – This is a Spoofing vulnerability in Windows MSHTML Platform that can allow an attacker to trick a victim into executing a malicious file, thereby exposing resources to the wrong sphere. It has a CVSS score of 7.5 and is rated as Important. The attack method involves a highly complex network-based attack that requires user interaction, where an attacker would send the victim a malicious file that the victim must execute.

3. CVE-2024-35264 – This is a Remote Code Execution vulnerability in .NET and Visual Studio that can allow an attacker to execute arbitrary code remotely. It has a CVSS score of 8.1 and is rated as Important. The attack method involves exploiting a use-after-free weakness (CWE-416) by closing an HTTP/3 stream while the request body is being processed, leading to a race condition. This requires a high attack complexity, with no privileges or user interaction needed.

4. CVE-2024-37985 – This is an Information Disclosure vulnerability in ARM-based operating systems that can allow an attacker to view heap memory from a privileged process running on the server. It has a CVSS score of 5.9 and is rated as Important. The attack method involves exploiting processor optimisation issues, requiring significant preparation by the attacker.

Users are urged to patch actively exploited zero-day vulnerabilities as a priority.

OpenSSH

The Qualys Threat Research Unit (TRU) has discovered an unauthenticated Remote Code Execution (RCE) vulnerability in OpenSSH’s server (sshd) prevalent in glibc-based Linux systems. The vulnerability (CVE-2024-6387) has been aptly dubbed “regreSSHion” as it was previously identified and patched in 2006; unfortunately, this issue was then reintroduced in 2020 with a commit that removed the function securing it. A successful exploit of this could lead to full system compromise including Remote Code Execution with the highest privileges.

This vulnerability affects a huge number of systems, with Qualys’s research indicating that over 14 million potentially vulnerable OpenSSH server instances are exposed to the Internet. A list of all affected versions can be found here.

OpenSSH have released a patch for this in version 9.8 which can be found here. However, many other vendors are also pushing patches for their systems that include this vulnerability.

Qualys have provided a brilliant (if quite long!) write up of this which can be found here.

Adobe

Adobe has released three patches this month, addressing 7 vulnerabilities – almost 11% less than the number of vulnerabilities last month. The applications in question are:

Adobe Premiere Pro – 1 Critical

Adobe InDesign – 4 Critical

Adobe Bridge – 1 Critical and 1 Important

Adobe rates all these vulnerabilities as priority 3, meaning they relate to a product that has historically not been a target for attackers.

Cisco

Cisco has released 2 advisories for 2 vulnerabilities in July, with impact ratings from Medium to High. The High vulnerability, relating to the “regreSSHion” CVE mentioned earlier, is currently under investigation to determine all products affected; a list can be found here.

The medium CVE-2024-20399 – This is a CLI Command Injection vulnerability in Cisco NX-OS Software that can allow an attacker to execute arbitrary commands as root on the underlying operating system of an affected device. Rated as medium severity, it has a CVSS score of 6.0. Since this is known to have been exploited in the wild, users should look to patch this vulnerability as soon as possible to prevent potential exploitation.

Fortinet

Fortinet has addressed 2 vulnerabilities in July: 1 Medium and 1 Low severity.

The Medium severity vulnerability is CVE-2024-26006 – This is a Cross-Site Scripting (XSS) vulnerability in FortiOS and FortiProxy's web SSL VPN UI that can allow an attacker to execute unauthorised code or commands. Rated as medium severity, it has a CVSS score of 6.9. This vulnerability can be exploited via social engineering, where the attacker convinces the targeted user to bookmark a malicious samba server and then open the bookmark.

SAP

SAP has released 16 new security notes and 2 updates to previous security notes. Only 2 of these CVEs are rated “High”, with none being rated as “Hot News” (Very High). The products affected by the high CVEs are:

- SAP PDCE

- SAP Commerce

VMware

VMware has released a patch for a vulnerability in VMware Cloud Director. Noted as CVE-2024-22277; this is an HTML injection vulnerability in VMware Cloud Director Availability that could allow a remote attacker with network access to execute malicious HTML tags within replication tasks. Rated as Moderate severity, it has a CVSS Base Score of 6.4. Users are advised to apply the patches provided by VMware to mitigate this vulnerability.

Industrial Control Systems

Any customers utilising industrial control systems (ICS) should be aware of the below security advisories regarding Johnson Controls, TELSAT, Yokogawa and more

- ICSA-24-184-01 Johnson Controls Kantech Door Controllers

- ICSA-24-184-02 mySCADA myPRO

- ICSA-24-184-03 ICONICS and Mitsubishi Electric Products

- ICSA-24-179-01 TELSAT marKoni FM Transmitter

- ICSA-24-179-02 SDG Technologies PnPSCADA

- ICSA-24-179-03 Yokogawa FAST/TOOLS and CI Server

- ICSA-24-179-04 Johnson Controls Illustra Essentials Gen 4 (Update A)

- ICSA-24-179-05 Johnson Controls Illustra Essentials Gen 4 (Update A)

- ICSA-24-179-06 Johnson Controls Illustra Essentials Gen 4 (Update A)

- ICSA-24-179-07 Johnson Controls Illustra Essentials Gen 4 (Update A)

As always, users are recommended to install the latest security updates as soon as possible to protect their systems from potential threats.