Patch Tuesday | November 2024

By: Bryson Medlock

Every month on the second Tuesday, Microsoft and other vendors release security software patches in what has become known as Patch Tuesday. This Patch Tuesday sees patches for 92 vulnerabilities including 2 0-days, 3 vulnerabilities classified as Critical, and 52 of the total coming in with CVSS base scores over 8.

The 2 0-day vulnerabilities patched include CVE-2024-49039 , a privilege elevation vulnerability affecting the Windows Task Scheduler in a way that allows the use of RPC functions typically restricted to privileged accounts via a low privilege AppContainer. Exploiting this vulnerability requires authenticated access to a Windows system. The other 0-day is CVE-2024-43451 , where a malicious file could be used to disclose a user's NTLM hash, allowing them to authenticate as that user. This vulnerability has also been publicly disclosed.

Other patched vulnerabilities to look out for include several that could be leveraged for initial access following phishing attacks. These include a remote code execution (RCE) vulnerability in Microsoft Defender for Endpoint (CVE-2024-5535 ) due to an OpenSSL library vulnerability that could be exploited without the victim interacting with the phishing link in the worst case scenario. Additionally, CVE-2024-49033 features a bypass of Office Protected View due to a malicious Word file downloaded from a link leading to RCE. Microsoft considers exploitation of this vulnerability more likely but does note that the attack complexity is high due to an attacker needing to gather information from the victim environment for success.

Several of the vulnerabilities involve network attacks on remote services. CVE-2024-43640 affects the HTTP Protocol Stack driver with a double free vulnerability that could lead to RCE. Azure CycleCloud includes a 9.9 CVSS RCE in this category with CVE-2024-43602 , where an attacker with basic user permissions can send requests that modify the configuration of the cluster to gain root permissions. CVE-2024-43498 could potentially target vulnerable .NET webapps with malicious requests, but also could affect vulnerable desktop apps if they loaded a malicious file targeting the vulnerability. Microsoft gave it a CVSS score of 9.8 and rated it with low attack complexity, but still maintained its exploitation as less likely. CVE-2024-43639 also shows up with low complexity and a 9.8 score in an RCE targeting a cryptographic protocol vulnerability in Kerberos by an unauthenticated attacker.

Some of the notable elevation of privilege vulnerabilities include CVE-2024-49019 affecting Active Directory Certificate Services, which was publicly disclosed by TrustedSec in October. This vulnerability affects configurations set up counter to Microsoft's best practices for security certificate templates outlined in their Securing PKI documentation. Particularly, it affects version 1 certificate templates if the source of the subject name is "Supplied in the request" and Enroll permissions are granted to broader sets of accounts like domain users or computers.