Preeti Nandal
Cyber Security Assessor
Preeti Nandal Linked In
There have been quite a few zero-day exploits identified, with many of these known to have been actively exploited in the wild.
Microsoft
In their October Patch Tuesday release, Microsoft has addressed 121 vulnerabilities. Five of these vulnerabilities are zero-day exploits, with two known to have been actively exploited. Interestingly none of the five zero-day vulnerabilities overlapped with the four critical vulnerabilities.
The patches cover a broad array of applications and services, including Microsoft Office and Components, Microsoft Management Console, Visual Studio, Windows Print Spooler Components, Windows Remote Desktop, Windows Remote Desktop Licensing Service, Windows Remote Desktop Services, .NET Framework, and more. There have also been six updates to previously disclosed vulnerabilities, and four non-Microsoft CVEs listed.
Outlined below are the zero-day exploits released by Microsoft in this month’s Patch Tuesday:
Actively exploited
1. CVE-2024-43572 – This is a remote code execution (RCE) vulnerability in the Microsoft Management Console (MMC) that can allow an attacker to execute arbitrary code on a targeted system. The vulnerability has a CVSS score of 7.8 and is rated as important. Since this is known to have been exploited in the wild, users should prioritise patching this vulnerability to prevent exploitation. The attacker can exploit this vulnerability by using social engineering techniques to convince the target to open a maliciously crafted file, leading to arbitrary code execution on the affected system
2. CVE-2024-43573 – This is a spoofing vulnerability in the Windows MSHTML platform that can allow an attacker to deceive users into believing they are interacting with legitimate content, potentially leading to unauthorised disclosure of sensitive information. Despite being rated as moderate and having a CVSS score of 6.5, it is known to have been actively exploited in the wild. The attack requires convincing the target to open a malicious file, exploiting the spoofing flaw in MSHTML to bypass trust mechanisms and compromise the system
Disclosed but not known to be actively exploited
3. CVE-2024-6197 – This is a remote code execution (RCE) vulnerability in cURL, a widely used command-line tool for transferring data with URLs. The vulnerability arises when cURL handles specially crafted TLS certificates, which can trigger the execution of arbitrary code by overwriting stack memory. This flaw affects cURL versions 8.6.0 through 8.8.0, when built with the following TLS backends: GnuTLS, wolfSSL, Schannel, or Secure Transport. Although the most common outcome of exploitation is a crash, it is possible that under specific circumstances, attackers could achieve remote code execution. The vulnerability is rated important with a CVSS score of 8.8. Microsoft has addressed this flaw by updating the libcurl library used by the cURL executable in Windows. If users are utilising cURL outside of Windows then they should update to version 8.9.0 to mitigate this issue.
4. CVE-2024-43583 – This is an elevation of privilege (EoP) vulnerability in Winlogon, a key component responsible for handling user logins in Windows. A local, authenticated attacker could exploit this vulnerability to gain SYSTEM-level privileges. The vulnerability, which has a CVSS score of 7.8, was publicly disclosed prior to a patch being available. To address this vulnerability, users need to ensure that a Microsoft first-party IME is enabled on their devices; further information on how to implement this can be found here.
5. CVE-2024-20659 – This is a security feature bypass vulnerability in Windows Hyper-V. It allows an attacker to bypass the Unified Extensible Firmware Interface (UEFI) on specific host hardware, potentially compromising both the Hyper-V hypervisor and the secure kernel. Although the vulnerability is rated as high severity with a CVSS score of 7.1, exploitation is considered less likely due to the complexity of the required conditions, such as needing a specific hardware configuration, precise timing during a reboot, impersonation of an integrity level token, and an attacker gaining access to the target’s network.
Adobe
Adobe has released nine updates this month addressing 50 vulnerabilities, with 42 of these being critical. The applications in question are:
Cisco
Cisco has so far released 40 advisories for 59 vulnerabilities since last month’s Patch Tuesday blog, more than four times the amount as in September. The impact ratings range from Medium to Critical; with the Critical vulnerabilities relating to Cisco Nexus Dashboard Fabric Controller.
Citrix
Citrix has released three security bulletins since last month’s Patch Tuesday blog. These are regarding Citrix Workspace app for Mac, Citrix Workspace app for Windows, as well as XenServer and Citrix Hypervisor.
The severity of the Citrix Workspace app for Window is rated as High, with two documented vulnerabilities: CVE-2024-7889 and CVE-2024-7890. These flaws allow local privilege escalation, enabling a low-privileged user to gain SYSTEM privileges. Users of affected versions are urged to apply the latest patches to safeguard their systems. This update impacts versions prior to 2302 and 2302 LTSR CU1.
D-Link
D-Link has released two security announcements addressing critical vulnerabilities in both current and end of life routers. This is a compelling reminder to users for the need to address and remove any end of life hardware or software in their estate.
Fortinet
Fortinet has addressed 3 vulnerabilities in October: two Medium, and one Low severity. Although not High or Critical, these affect a large number of Fortinet products, therefore users are suggested to check the advisory page linked above if they are a Fortinet customer.
Mozilla
Mozilla has addressed a multitude of vulnerabilities in Thunderbird and Firefox:
· Thunderbird 131 – 6 High severity CVEs
· Thunderbird 128.3 – 5 High severity CVEs
· Firefox ESR 115.16 – 4 High severity CVEs
· Firefox ESR 128.3 – 5 High severity CVEs
· Firefox 131 – 7 High severity CVEs
SAP
SAP has released 6 new Security Notes and 7 updates to previously released Security Notes. Just one of these CVEs is rated “Critical” and three are rated “High”. The products affected by the Critical to high rated CVEs are:
· SAP BusinessObjects Business Intelligence Platform
· SAP Enterprise Project Connection
· SAP Product Design Cost Estimation (PDCE)
VMware
VMware has released vCenter Server updates to address Critical heap-overflow and privilege escalation vulnerabilities (CVE-2024-38812, CVE-2024-38813).
Industrial Control Systems
Any customers utilising industrial control systems (ICS) should be aware of three security advisories regarding:
· ICSA-24-277-01 TEM Opera Plus FM Family Transmitter
· ICSA-24-277-02 Subnet Solutions Inc. PowerSYSTEM Center
· ICSA-24-277-03 Delta Electronics DIAEnergie
Additional Updates
· HP has addressed a High severity privilege escalation vulnerability in their HP One Agent Software.
· Sophos has also addressed a High severity privilege escalation vulnerability, this time in Sophos Intercept X for Windows. Automatic updates should mean this is patched already, however customers using Fixed Term Support (FTS) or Long Term Support (LTS) packages are required to upgrade to receive this fix.
· Tenable has addressed multiple vulnerabilities in the Nessus Network Monitor product that were mainly caused by third-party components.
Please see our previous blog post for more information on the CUPS vulnerability detailed earlier this month - Softcat Cyber | Alpha Note
As always, users are recommended to install the latest security updates as soon as possible to protect their systems from potential threats.