By Scott Caveza, Staff Research Engineer at Tenable
In this month’s Patch Tuesday, Microsoft addressed 88 CVEs with seven critical vulnerabilities and 10 zero-day vulnerabilities, six of which were exploited in the wild. Elevation of Privilege (EoP) vulnerabilities accounted for 41% of the vulnerabilities patched this month, followed by Remote Code Execution (RCE) at 33%.
“CVE-2024-38202 is an elevation of privilege (EoP) vulnerability in Windows Update Stack and CVE-2024-21302 is an EoP flaw affecting Windows Secure Kernel, both of which were disclosed by SafeBreach Labs researcher Alon Leviev. If chained together, an attacker could downgrade or roll back software updates without the need for interaction from a victim with elevated privileges. As a result, previous remediation efforts are essentially erased as target devices could be made susceptible to previously patched vulnerabilities, thus increasing the attack surface of the device.
“CVE-2024-38200 is a spoofing vulnerability affecting Microsoft Office. An attacker could leverage this vulnerability by enticing a victim to access a specially crafted file, likely via a phishing email. Successful exploitation of the vulnerability could result in the victim exposing New Technology Lan Manager (NTLM) hashes to a remote attacker. NTLM hashes could be abused in NTLM relay or pass-the-hash attacks to further an attacker’s foothold into an organisation. NTLM relay attacks have been observed by a Russian-based threat actor, APT28, who leveraged a similar vulnerability to carry out attacks – CVE-2023-23397, an Elevation of Privilege vulnerability in Microsoft Outlook patched in March 2023.
“EoP vulnerabilities are often exploited by attackers who have gained initial access into an organisation in order to elevate their privileges on a victim host and continue to move laterally across a network. With so many zero days in a Patch Tuesday release, the vulnerabilities reported as exploited in the wild should be at the top of your remediation list.
“In addition to the zero-day vulnerabilities covered this month, Microsoft also released security advisories for two CVEs credited to Tenable Research. CVE-2024-38206 is a critical severity information disclosure vulnerability affecting Microsoft’s Copilot Studio, an AI-powered chatbot. This vulnerability can be abused by an authenticated attacker to bypass server-side request forgery (SSRF) protections in order to leak potentially sensitive information. The vulnerability was publicly disclosed by Microsoft on August 6, with the advisory noting that no user action is required as the issue has been patched by Microsoft. This vulnerability was discovered and reported to Microsoft by Tenable researcher Evan Grant.
“CVE-2024-38109 is a critical severity EoP vulnerability affecting Azure Health Bot. This vulnerability received a CVSSv3 score of 9.1 and is the result of a SSRF vulnerability in Azure Health Bot that can be abused to escalate privileges. This vulnerability was discovered by Tenable researcher Jimi Sebree and responsibly disclosed to Microsoft. The issue has been patched by Microsoft and no action is required for users of the Health Bot service.
