Patch Tuesday: September 2024 Overview

For us in the UK, September is the start of new beginnings. The children go back to school, the students move back to University, the leaves on the trees start to turn and the evenings start to get darker. For Microsoft however, they remain evergreen and have just given us another patch Tuesday.

This month, Microsoft brings us new updates for 79 flaws, 4 of which are being actively exploited and one publicly disclosed zero-day vulnerability. Sharepoint and Azure seem to have the lion's share of the CVEs this month, and there is also some high rated critical CVEs to watch out for...

What is Patch Tuesday?

Every second Tuesday of the month, Microsoft releases a batch of critical security updates known as Patch Tuesday. These updates are essential for maintaining the security and stability of your systems. The September 2024 Patch Tuesday, released on August 10th, 2024, addresses several high-severity vulnerabilities across various Microsoft products. This blog post will guide you through the key updates, the affected products, and what actions you need to take to ensure your systems remain secure.

Key Updates in September 2024

• 79 new CVEs
• 5 zero-days: 4 exploited and 1 publicly disclosed
  
• 7 critical vulnerabilities
• Sharepoint and Azure have the most critical CVEs.

Zero Day Vulnerabilities

Below are the 4 bugs currently under active exploitation, which we have listed in order of severity, starting with a critical CVE with a 9.8 CVSS rating.

CVE-2024-43491 - Microsoft Windows Update Remote Code Execution

• CVSS Rating: 9.8 (Critical)
• Description: This critical vulnerability, rated with a CVSS score of 9.8, is related to how the Windows Update service handles optional components. Attackers can exploit this flaw to execute arbitrary code by triggering a rollback of previously applied security fixes on specific versions of Windows 10 (Enterprise 2015 LTSB and IoT Enterprise 2015 LTSB). This could expose systems to older, already-patched vulnerabilities, effectively undoing previous security measures
• Impact: Remote Code Execution

CVE-2024-38014 - Windows Installer Elevation of Privilege Vulnerability

• CVSS Rating: 7.8 (High)
• Description: This vulnerability allows attackers to gain system level privileges on affected systems, making it particularly dangerous. It affects Windows 10 and 11, including specific newer versions like Windows 11 24H2. An attacker could exploit this by manipulating Windows Installer to run unauthorized code with higher privileges. 
• Impact: Elevation of Privilege
  
  

CVE-2024-38226 - Microsoft Publisher Security Feature Bypass Vulnerability

• CVSS Rating: 7.3 (High)
• Description: This vulnerability allows an attacker to bypass the macro protections in Microsoft Publisher, which usually block untrusted or malicious macros by default. By tricking a user into opening a crafted Publisher file, an attacker could launch a local attack. 
• Impact: Security Feature Bypass

CVE-2024-38217 - Windows Mark of the Web (MOTW) Security Feature Bypass Vulnerability:

• CVSS Rating: 5.4 (Medium)
• Description: MOTW is used to mark files downloaded from the internet to trigger extra security measures when they are opened. This vulnerability bypasses those protections, allowing malicious files to evade detection. It requires an attacker to trick the user into opening a specially crafted file. 
• Impact: Security Feature Bypass

Critical Vulnerability Summary

• CVE-2024-38018: Microsoft SharePoint Server Remote Code Execution Vulnerability
  This vulnerability impacts Microsoft SharePoint Server and allows an attacker to execute remote code with elevated privileges. If successfully exploited, it could lead to unauthorized access, system takeover, or the compromise of sensitive data. Proper patching and updating are essential to mitigate the risks.
  
  
• CVE-2024-38119: Windows Network Address Translation (NAT) Remote Code Execution Vulnerability 
  This vulnerability resides in the Windows NAT feature and could be exploited by attackers to execute arbitrary code remotely. Such an exploit could allow attackers to gain control of the target system, putting the affected network at risk. This is a particularly dangerous flaw for any organization using NAT in their infrastructure.
  
  
• CVE-2024-38194: Azure Web Apps Elevation of Privilege Vulnerability
  Azure Web Apps is vulnerable to an elevation of privilege attack, where an attacker could gain higher-level access to resources. This can result in unauthorized control of applications and sensitive data exposure. Azure users are strongly advised to apply necessary updates to safeguard their environments.
  
  
• CVE-2024-38216: Azure Stack Hub Elevation of Privilege Vulnerability
  This vulnerability affects Azure Stack Hub, a key component of hybrid cloud environments. An attacker could exploit this flaw to elevate privileges within the system, potentially gaining unauthorized access to critical resources. Regular patch management can mitigate the associated risks.
  
  
• CVE-2024-38220: Azure Stack Hub Elevation of Privilege Vulnerability
  Another critical vulnerability affecting Azure Stack Hub, this issue allows for the elevation of privileges by attackers, which could result in full system compromise. Since it affects a key cloud management tool, users are strongly urged to apply the latest patches to avoid exploitation.
  
  
• CVE-2024-43464: Microsoft SharePoint Server Remote Code Execution Vulnerability
  Microsoft SharePoint Server is again under threat, with this vulnerability enabling remote code execution. Attackers could execute malicious code on the server, leading to data breaches or the spread of ransomware. Organizations using SharePoint should prioritize applying relevant patches to defend against this vulnerability
  
  
• CVE-2024-43491: Microsoft Windows Update Remote Code Execution Vulnerability
  This vulnerability targets Windows Update, a fundamental component of the Windows operating system. If exploited, it could allow attackers to remotely execute code and compromise the system entirely. Keeping Windows Update services secure is crucial for maintaining system integrity.

Actions to Take:

• Apply Security Updates Immediately
  Install the latest security patches provided by Microsoft across all impacted systems, including Windows, Microsoft Office, SharePoint, Azure, and other enterprise products. Many of the vulnerabilities patched this month, including remote code execution (RCE) and elevation of privilege (EoP) vulnerabilities, are critical and could lead to system compromise if left unpatched.
  
  
• Prioritize Patching Critical Vulnerabilities
  Focus on addressing the most severe issues first, in particular CVE-2024-43491 (Windows Update RCE), CVE-2024-38119 (Windows NAT RCE), CVE-2024-38018 & CVE-2024-43464 (Microsoft SharePoint RCE). These vulnerabilities could allow attackers to remotely execute code and gain control of systems or escalate privileges, making them prime targets for cybercriminals.
  
  
• Update Microsoft SharePoint Servers
  Microsoft SharePoint has been a target for critical vulnerabilities this month. Organizations using SharePoint should prioritize patching both CVE-2024-38018 and CVE-2024-43464 to prevent exploitation via remote code execution.
  
  
• Secure Azure Environments
  Several critical vulnerabilities affect Azure services, including CVE-2024-38194 (Azure Web Apps EoP), CVE-2024-38216 & CVE-2024-38220 (Azure Stack Hub EoP). If your organization uses Azure Web Apps or Azure Stack Hub, ensure you deploy the necessary updates to prevent unauthorized privilege escalation within your cloud infrastructure.
  
  
• Review and Validate Patch Installation
  After installing updates, review and validate that the patches have been successfully applied across your environment. Testing in non-production environments prior to full deployment can help mitigate any unexpected issues or downtime. Pssst... you can also use RoboShadow to scan to see if any of these CVEs can be found in your enviroment.
  
  
• Monitor for Exploit Activity
  Stay alert for any signs of exploit activity. Even after patching, organizations should monitor logs and network traffic for suspicious behavior that could indicate an attack attempt.
  
  
• Regularly Backup Critical Systems
  As part of any patch management process, ensure that critical systems are backed up before applying updates. This provides a safeguard in case any issues arise from the patches.

If you have any questions about patch Tuesday, or any feedback on this blog please
reach out to us: hello@roboshadow.com 

Thanks for reading, and to quote Green Day; wake me up when September ends!