Patch Tuesday Clear your Microsoft system administrator’s calendar: Redmond’s July Patch Tuesday patch bundle is a goldmine, with at least two bugs currently being actively exploited.
Tuesday’s software updates fix more than 130 Microsoft CVEs.
The first of the two vulnerabilities that are likely being actively exploited – CVE-2024-38080 – is a Windows Hyper-V privilege escalation flaw with a CVSS rating of 7.8 out of 10, which Microsoft has rated as “important.”
We don’t know how widely this vulnerability is being exploited, but Microsoft says that “an attacker who successfully exploited this vulnerability could gain system privileges.” Additionally, as Dustin Childs of the Zero Day Initiative pointed out, this exploit could be very useful for ransomware. If you’re using Hyper-V, test and deploy this update.
The second bug listed as having been discovered and exploited by malicious actors before Redmond issued a patch is a Windows MSHTML platform impersonation vulnerability tracked as CVE-2024-38112. MSHTML (aka Trident) is Microsoft’s proprietary browser engine for Internet Explorer, and it has been assigned a CVSS severity score of 7.5.
Exploitation of this flaw requires user interaction. As Redmond explains: “An attacker would have to send a malicious file to the victim that the victim would execute.” Haifei Li of Check Point Research discovered the flaw and reported it to Microsoft.
The consequences of exploitation are unclear, although it appears that information or resources are being exposed to the wrong person. Given the prevalence of successful social engineering attacks lately (and the fact that Microsoft has already detected exploitation of this CVE), we have seen time and again that it is quite easy to trick users into clicking on malicious links. Therefore, fix this issue before your next malicious click triggers CVE-2024-38112.
The first of two CVE bugs listed as publicly disclosed but not publicly exploited is CVE-2024-35264 – a remote code execution vulnerability in .NET and Visual Studio. To exploit this, an attacker would have to induce a race condition to allow inappropriate access to data. But they could use this to achieve remote code execution (RCE).
According to Redmond: “An attacker could exploit this by closing an http/3 stream while the request body is being processed, leading to a race condition.” Microsoft’s Radek Zikmund discovered the flaw.
The second known but unexploited bug – CVE-2024-37985 – affects Arm-based Redmond operating systems and has a CVSS score of 5.9. It is a side-channel attack from 2023, dubbed FetchBench, which can be exploited to leak secret information.
Five Critical CVEs from Microsoft
Of the remaining Microsoft CVEs, five are critical in severity, and three of them – CVE-2024-38074, CVE-2024-38076, and CVE-2024-38077 – are RCE level 9.8 bugs in the Windows Remote Desktop Licensing Service. Redmond described all three bugs as “less likely to be exploited.”
According to Childs of the Zero Day Initiative, regarding CVE-2024-38077, “exploitation of this flaw should be straightforward, as any unauthenticated user could execute its code simply by sending a malicious message to an affected server.”
He recommended making sure those servers are not accessible via the Internet. “If a number of these servers are connected to the Internet, I expect they will be exploited soon,” Childs warned. “This is also a good time to audit your servers to make sure they are not running unnecessary services.”
Microsoft’s other two critical bugs include CVE-2024-38060 – an RCE rated 8.8 in the Windows Imaging component that could be exploited by any authenticated user uploading a malicious TIFF file to a server.
Also worth noting is CVE-2024-38023, a level 7.2 flaw in Microsoft SharePoint Server that can also lead to remote code execution. “An authenticated attacker with site owner permissions can exploit this vulnerability to inject arbitrary code and execute that code in the context of SharePoint Server,” Redmond explained.
Adobe clears up
Adobe’s monthly patch only affects three products and seven CVEs, none of which appear to have been found and exploited by criminals.
That’s the good news. The bad news is that six of the seven critical bugs can lead to arbitrary code execution.
Today’s updates address a critical vulnerability (CVE-2024-34123) in Adobe Premiere Pro, and four additional critical vulnerabilities (CVE-2024-20781, CVE-2024-20782, CVE-2024-20783, CVE-2024-20785) in InDesign. The Adobe Bridge patches address two vulnerabilities, one of which (CVE-2024-34139) is rated critical and the other (CVE-2024-34140) is rated important because it could lead to a memory leak.
SAP Security Notes
SAP has released 18 new updated patches, two of which are high priority patches.
Security Note #3483344 is the most critical of the bunch. It is a missing authorization check vulnerability in SAP Product Design Cost Estimating (PDCE) that has a CVSS score of 7.7.
“A remotely enabled function module in SAP PDCE allows a remote attacker to read generic table data and thus endangers the confidentiality of the system,” warns Thomas Fritsch, SAP security researcher at Onapsis Research Labs. “The patch disables the vulnerable function module.”
Fortinet fixes vulnerabilities
Fortinet has fixed a cross-site scripting vulnerability identified as CVE-2024-26006 in the SSL VPN web user interface of FortiOS and FortiProxy. “This could allow an unauthenticated, remote attacker to perform a cross-site scripting attack via social engineering by tricking the targeted user into adding a malicious Samba server to their favorites and then opening the favorite,” the vendor warned.
The IT Security team also fixed CVE-2024-26015 in the IP address validation functionality of FortiOS and FortiProxy. This is a bug that could be exploited by an unauthenticated attacker to bypass the IP address blocklist using specially crafted requests.
Citrix joins the party
Citrix has fixed CVE-2024-6151 and CVE-2024-6286, both rated 8.5 and causing escalation of privilege in Windows Virtual Delivery Agent and Citrix Workspace app, which could allow a low-privileged user to gain system privileges.
Citrix Workspace app is the client for virtual desktops and applications and is deployed on many endpoints that are not very strictly managed, making this a bug worthy of your attention.
And… Android
Rounding out the July patch series, Google has released fixes for 27 CVEs in Android. The worst of these is CVE-2024-31320, a critical security vulnerability in the Framework component that could lead to local escalation of privilege with no additional execution privileges needed. ®