Post-Patch Tuesday Roundup: September 2024 | Softcat
Skip to main content

Login to eCAT

Customer Support
Contact Sales
Blog

Post-Patch Tuesday Roundup: September 2024

Welcome to the Softcat Patch Tuesday roundup for September 2024, where we offer insight into the major patches released this month.

Post patch tuesday image 1

Josh Philliban

Cyber Security Assessor

In this edition, we will focus on the patches by Microsoft, Adobe, Cisco, Citrix, Fortinet, Ivanti, SAP, Veeam, and VMware. There have been several zero-day exploits identified, with many of these known to have been actively exploited in the wild.

Microsoft

In their September Patch Tuesday release, Microsoft has addressed 79 vulnerabilities, with 7 of those rated as Critical and 4 being zero-day vulnerabilities. The patches cover a broad array of applications and services, including Windows, .Net, Office, SharePoint, Azure, and more. Additionally, there have been 5 Edge/Chromium based vulnerabilities identified, although no advisory notes have been issued.

This month's vulnerabilities chiefly revolve around Elevation of Privilege (EoP), Remote Code Execution (RCE), and Information Disclosure. Outlined below are the four Microsoft zero-day vulnerabilities detailed in this month’s Patch Tuesday update:

Zero-day vulnerabilities

1. CVE-2024-43491 – This is a Remote Code Execution vulnerability in the Windows Update Servicing Stack affecting Windows 10, version 1507. Although this OS is no longer supported, it has also affected Windows 10 Enterprise 2015 LTSB and Windows 10 IoT Enterprise 2015 LTSB which are both still in support. This vulnerability allows an attacker to exploit previously mitigated vulnerabilities via the Servicing Stack's mishandling of Optional Components due to a Use After Free error (CWE-416). It is rated as Critical with a CVSS score of 9.8. This vulnerability specifically affects systems with Optional Components from a limited list that includes .NET Framework 4.6, Internet Explorer 11, and others, while other versions of Windows 10 post-November 2015 are unaffected. As it is known to have been exploited in the wild, users are urged to patch this in order to prevent exploitation and restore security measures rolled back by the defect.

2. CVE-2024-38226 – This is a Security Feature Bypass vulnerability in Microsoft Publisher that can allow an attacker to bypass Office macro policies. It is rated as Important and has a CVSS score of 7.3. An authenticated attacker could leverage this vulnerability by using social engineering to trick a victim into downloading and opening a malicious file from a website, resulting in a local attack on the victim's computer.

3. CVE-2024-38014 – This is an Elevation of Privilege vulnerability in Windows Installer that can allow an attacker to gain SYSTEM privileges. This vulnerability arises from CWE-269: Improper Privilege Management, although Microsoft have not included any details as to how this has been exploited. It is rated as Important and has a CVSS score of 7.8.

4. CVE-2024-38217 – This is a Security Feature Bypass vulnerability in Windows related to the Mark of the Web (MOTW) that can allow an attacker to bypass the MOTW security feature. It is rated as Important with a CVSS score of 5.4. An attacker could exploit this vulnerability by hosting a malicious file on a server and convincing a user to download and open it, which would bypass the MOTW and potentially disable security prompts or checks like SmartScreen, resulting in malicious code being executed automatically. This vulnerability was publicly disclosed last month by Joe Desimone, in which he states that it may have been exploited since 2018. Bleeping Computer has an excellent writeup of this attack if you would like to understand this in further detail.

Since these vulnerabilities are known to have been exploited in the wild, users should look to patch these as soon as possible to prevent potential exploitation.

Adobe

Adobe has released eight security updates this month, addressing 27 vulnerabilities – less than half the number of vulnerabilities as last month. The applications in question are:

Adobe Media Encoder – 2 Critical and 3 Important

Adobe Audition – 1 Critical and 1 Important

Adobe After Effects – 3 Critical and 1 Important

Adobe Premiere Pro – 1 Critical

Adobe Illustrator – 4 Critical and 1 Important

Adobe Acrobat Reader – 2 Critical

Adobe ColdFusion – 1 Critical

Adobe Photoshop – 4 Critical and 1 Important

All of these vulnerabilities are rated as a priority 3 by Adobe, meaning they relate to a product that has historically not been a target for attackers.

Cisco

Cisco has so far released 9 advisories for 11 vulnerabilities in September, with the impact ratings ranging from Medium to Critical.

The one Critical vulnerability relates Cisco Smart Licensing Utility and the three High vulnerabilities relate to Cisco Meraki Systems Manager, regreSSHion, and Blast-RADIUS. The products affected by these vulnerabilities can be found on their respective Cisco webpages linked above.

Citrix

Citrix has released an update for the Citrix Workspace app for Windows, which affects versions before 2405 and versions BEFORE 2402 LTSR CU1. Both of the vulnerabilities tied to this update mean that local privilege escalation could allow a low-privileged user to gain SYSTEM privileges

Fortinet

Fortinet has addressed 2 vulnerabilities in September, both of which are rated as Medium severity. CVE-2023-44254 relates to FortiAnalyzer (including Bigdata) and FortiManager, and CVE-2024-31490 relates to FortiSandbox.

Ivanti

Ivanti has released three updates for the following software:

Ivanti Endpoint Manager

Ivanti Cloud Services Appliance (CSA) 4.6

Ivanti Workspace Control

SAP

SAP has released 16 new security notes and 3 updates to previous security notes. Only 2 of these vulnerabilities are rated “High” or “Hot News” (Very High). The products affected by the high to very-high rated CVEs are:

· SAP BusinessObjects Business Intelligence Platform

· SAP Commerce Cloud

Veeam

Veeam has issued a comprehensive security update for multiple products, resolving a series of critical and high-severity vulnerabilities. The bulletin covers:

· Veeam Backup & Replication

· Veeam ONE

· Veeam Service Provider Console

· Veeam Agent for Linux

· Plugins for Nutanix AHV, Oracle Linux Virtualization Manager, and Red Hat Virtualization

Notable vulnerabilities include unauthenticated remote code execution (CVE-2024-40711) with a CVSS score of 9.8, and various others allowing privilege escalation and sensitive data exposure. All vulnerabilities have been addressed in the latest builds of the affected products, with detailed information and download links provided in the bulletin.

VMware

VMware has issued an update for a code-execution vulnerability in VMware Fusion for MacOS, identified as CVE-2024-38811. This security flaw, due to the improper handling of an environment variable, could allow a malicious actor with standard user privileges to execute code in the context of the Fusion application. The vulnerability is classified as Important and has a CVSS score of 8.8. Users are urged to update to VMware Fusion version 13.6.

Industrial Control Systems

Any customers utilising industrial control systems (ICS) should be aware of four security advisories regarding:

- ICSA-24-254-01 Viessmann Climate Solutions SE Vitogate 300

- ICSA-24-254-02 iniNet Solutions SpiderControl SCADA Web Server

- ICSA-24-254-03 Rockwell Automation SequenceManager

- ICSMA-24-254-01 BPL Medical Technologies PWS-01-BT and BPL Be Well Android Application

Additional Notes

The Cybersecurity and Infrastructure Security Agency (CISA) along with the FBI, NSA, and other bodies, have issued a statement regarding Russian military cyber actors targeting Global Critical Infrastructure.

As always, users are recommended to install the latest security updates as soon as possible to protect their systems from potential threats.

​​​