Microsoft patches scary wormable hijack-my-box-via-IPv6 security bug and others
Plus more pain for Intel which fixed 43 bugs, SAP and Adobe also in on the action
Patch Tuesday Microsoft has disclosed 90 flaws in its products – six of which have already been exploited – and four others that are listed as publicly known.
There's another dozen in the list from third-party vendors that are now included in Microsoft's monthly update. Happy August Patch Tuesday, folks. Of the 102 total bugs listed this month, nine are rated critical, though so far none of those ones seem to have been found and abused by the bad guys.
Holy grail security flaw
First, let's get right to CVE-2024-38063, this is a zero-click, wormable remote code execution hole in Windows that requires no authentication and is exploited using IPv6 packets. It's pretty bad; it's a 9.8-out-of-10 on the CVSS severity scale.
If someone can craft the correct IPv6 packets to send to your vulnerable Windows machine via the local network or the internet, they can take over that box, install malware or ransomware, steal data, and more. This happens at the TCP/IP stack level in the operating system. There are no exploits for it yet that we know of. Redmond credited someone called Wei at Cyber KunLun's Kunlun Lab for discovering and reporting it.
"An unauthenticated attacker could repeatedly send IPv6 packets, that include specially crafted packets, to a Windows machine which could enable remote code execution," the Azure giant said.
That needs to be patched ASAP before someone figures out how to abuse it in the wild and uses it to hijack computers around the world. All we know so far is that it involves an integer underflow, which may be tricky to exploit in practice though Microsoft says it thinks exploitation is likely at some point.
There's also another 9.8 bug, CVE-2024-38140, a use-after-free in the Windows Reliable [sic] Multicast Transport Driver that can be exploited again to achieve remote code execution on a vulnerable computer without authentication needed.
"An unauthenticated attacker could exploit the vulnerability by sending specially crafted packets to a Windows Pragmatic General Multicast (PGM) open socket on the server, without any interaction from the user," says Microsoft, adding:
This vulnerability is only exploitable only if there is a program listening on a Pragmatic General Multicast (PGM) port. If PGM is installed or enabled but no programs are actively listening as a receiver, then this vulnerability is not exploitable.
PGM does not authenticate requests so it is recommended to protect access to any open ports at the network level (e.g. with a firewall). It is not recommended to expose a PGM receiver to the public internet.
Another of the critical bugs being patched today: CVE-2024-38160, remote code execution hole in Windows Network Virtualization. This bug is a heap buffer overflow. This appears to be a useful way to attack other customers in a public cloud setting using Redmond's technologies. It allows someone to move from their virtual machine's confines to the host hypervisor server, and then get into other people's guests.
"This vulnerability could lead to the attacker gaining the ability to interact with other tenant’s [sic] applications and content," says Microsoft.
"An attacker could exploit the vulnerability by taking advantage of the unchecked return value in the wnv.sys component of Windows Server 2016. By manipulating the content of the Memory Descriptor List (MDL), the attacker could cause unauthorized memory writes or even free a valid block currently in use, leading to a critical guest-to-host escape."
Network Virtualization has another critical flaw, CVE-2024-38159, that works pretty much the same way as above.
And there's also CVE-2024-38166 in Microsoft Dynamics 365 (a cross-site scripting hole), CVE-2024-38206 in Microsoft Copilot Studio that can cause the AI suite to "leak sensitive information over a network," and CVE-2024-38109 in the Azure Health Bot that could be used to elevate privileges.
Regarding the bot, Microsoft says: "This vulnerability has already been fully mitigated by Microsoft. There is no action for users of this service to take. This purpose of this CVE is to provide further transparency."
As said, none of these critical holes have been attacked in the wild that we know of, yet.
Phew, so what's under attack already?
Now for the six bugs under active exploitation:
CVE-2024-38189 – a Microsoft Project Remote Code Execution Vulnerability with an 8.8 CVSS rating. The bad news is it's an RCE and was exploited before it issued a fix.
The good news is exploitation requires a couple of security features to be disabled before an attacker can remotely execute code on a victim's machine. Assuming a criminal can find a way on someone's system to run macros downloaded from the internet (which ain't hard, see the Mark Of The Web hole below, for instance) and also has the block macros from running in Office files from the internet policy disabled, and convinces a victim to open a malicious file, it's game over. Obviously, someone has managed to navigate those hoops, although we have no details on the exploitation, or how widespread it is.
CVE-2024-38178 – a Scripting Engine Memory Corruption Vulnerability that earned a 7.5 CVSS. Microsoft says the attack complexity is high on this one, and it requires the victim to use Edge in Internet Explorer Mode. Apparently some orgs and their websites still really like this dead web browser that Microsoft stopped supporting two years ago.
Once Edge is in Internet Explorer mode, if an attacker can convince the victim to click on a specially crafted URL they can execute remote code on the victim's device.
Redmond credits south Korea's National Cyber Security Center and AhnLab with finding and reporting this vulnerability.
CVE-2024-38193 – a 7.8 rated Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability. This one could allow an attacker to gain system privileges.
As Zero Day Initiative's Dustin Childs noted: "These types of bugs are typically paired with a code execution bug to take over a target. Microsoft doesn't provide any indication of how broadly this is being exploited, but considering the source, if it's not in ransomware already, it likely will be soon."
Gen Digital bug hunters Luigino Camastra and Milánek disclosed the flaw to Redmond.
CVE-2024-38106 – a Windows Kernel Elevation of Privilege Vulnerability with a 7.0 CVSS rating.
Exploiting this bug requires an attacker to win a race condition, but Redmond doesn't provide any details about what that race involves. But once that happens the miscreant can gain system privileges. It's been exploited, so patch soon.
CVE-2024-38107 – a 7.8-rated Windows Power Dependency Coordinator Elevation of Privilege Vulnerability. It could also result in system privileges and has been exploited in the wild.
CVE-2024-38213 – a Windows Mark of the Web Security Feature Bypass Vulnerability that earned a 6.5 CVSS rating.
ZDI researcher Peter Girnus found and reported this vulnerability, which allows an attacker to bypass the SmartScreen security feature. It does, however, require the mark to open a malicious file.
- AMD won't patch Sinkclose security bug on older Zen CPUs
- Using 1Password on Mac? Patch up if you don't want your Vaults raided
- Google splats device-hijacking exploited-in-the-wild Android kernel bug among others
- Six ransomware gangs behind over 50% of 2024 attacks
Microsoft listed four vulnerabilities as publicly disclosed, albeit not yet exploited, so maybe put these high on your to-patch list:
- CVE-2024-38200 – a Microsoft Office Spoofing Vulnerability with a 6.5 CVSS rating.
- CVE-2024-38199 – a Windows Line Printer Daemon (LPD) Service RCE Vulnerability with a 9.8 CVSS rating.
- CVE-2024-21302 – a Windows Secure Kernel Mode Elevation of Privilege Vulnerability with a 6.7 CVSS rating.
- CVE-2024-38202 – a Windows Update Stack Elevation of Privilege Vulnerability with a 7.3 CVSS rating.
Adobe addresses 71 CVEs
Adobe this month fixed 71 CVEs in 11 updates across its Illustrator, Dimension, Photoshop, InDesign, Acrobat and Reader, Bridge, Substance 3D Stager, Commerce, InCopy, 3D Sampler, and Substance 3D Designer products. Adobe states it's not aware of any exploits for any of the now-fixed flaws.
Commerce is the buggiest of the bunch, with seven critical-rated vulnerabilities. InDesign addressed 13 CVEs and Acrobat and Reader fixed 12 – both of which included RCEs.
SAP slaps out 25 security patches
SAP this month released 25 new or updated security patches, including two HotNews notes and four high-priority notes. Thomas Fritsch, SAP Security Researcher at Onapsis, says this count is above average for the software maker.
Of the new HotNews notes, #3479478 (CVE-2024-41730) earned a 9.8 CVSS rating and addresses a denial of service vulnerability in the SAP BusinessObjects Business Intelligence Platform.
"If Single Sign On Enterprise authentication is enabled, an unauthorized user can get a logon token using a REST endpoint," Fritsch warned. "The attacker can fully compromise the system resulting in high impact on confidentiality, integrity and availability."
43 more pain points for Intel
Intel joined the patch party this month with a whopping 43 security advisories that plug multiple holes in software and hardware. Nine are rated high-severity flaws, so let’s start there:
Intel Ethernet Controllers and Adapters fixes CVEs that may allow escalation of privilege or denial of service.
Bugs in some Intel NUC BIOS Firmware may allow escalation of privilege, denial of service and information disclosure.
Vulnerabilities in Intel Core Ultra Processor and Intel Processor stream cache mechanisms may allow escalation of privilege.
Flaws in Intel Trust Domain Extensions (Intel TDX) module software may allow denial of service.
A security vulnerability in SMI Transfer monitor (STM) may allow escalation of privilege.
Flaws in some Intel Agilex FPGA Firmware and some Intel Server Board S2600ST Family Firmware may allow escalation of privilege.
Finally, some Intel UEFI Integrator Tools on Aptio V for Intel NUC are vulnerable to an escalation of privilege bug. ®
Editor's note: This article was updated to draw attention to the wormable IPv6 flaw in Microsoft Windows and other critical flaws.