Akamai’s Perspective on April’s Patch Tuesday 2024
Happy Eid-al-Fitr, Happy Easter, and Happy Passover. April is traditionally the month of holidays — and if CVEs are gifts, Microsoft is in the holiday spirit. April 2024’s Patch Tuesday has a total of 147 CVEs, and three of them are critical in Microsoft Defender for IoT. There was also an in-the-wild CVE: a Microsoft certificate being used to sign malicious payloads.
In this blog post, we’ll assess how critical the vulnerabilities are, and how commonplace the affected applications and services are, to provide you with a realistic perspective on the bugs that were fixed. Be on the lookout for these insights in the days after every Patch Tuesday.
This is an ongoing report and we’ll add more information to it as our research progresses — stay tuned!
This month, we’re focusing on the following areas in which bugs were patched
Proxy driver
Sophos X-Ops detected a malicious payload being signed with a Microsoft Windows Hardware Compatibility Publisher signature in an attempt to masquerade as legitimate. They reported their findings to Microsoft, and CVE-2024-26234 is the revocation of the certificate involved, so it would no longer pass as trusted.
It is possible to hunt for payloads signed with the affected signature using Insight. Concerned customers can run the following query to see if there are any running process signed with the revoked certificate:
SELECT issuer_name, path
FROM authenticode
WHERE
path IN (SELECT DISTINCT path FROM processes)
AND
serial_number = '3300000057ee4d659a923e7c10000000000057'
AND
subject_name = 'Microsoft Windows Hardware Compatibility Publisher'
Microsoft Defender for IoT
Microsoft Defender for IoT is a security platform that helps defend industrial network components, such Internet of Things (IoT) devices, industrial control systems, and operational technology. There are three critical remote code execution (RCE) vulnerabilities patched this month, and three important elevation of privilege (EoP) vulnerabilities.
The vulnerabilities themselves affect different components of the Defender for IoT stack. CVE-2024-21322 is an RCE that is exploited through the portal web application, while CVE-2024-21323 is an RCE that is exploited through a sensor update package. Regardless of component, all vulnerabilities are exploitable over the network, so it might be possible to detect or mitigate part of the risk using network segmentation.
CVE number |
Effect |
|---|---|
Remote code execution |
|
Elevation of privilege |
|
Windows Routing and Remote Access service (RRAS)
The Routing and Remote Access service (RRAS) is a Windows service that allows the operating system to behave as a router, allowing for site-to-site connections using VPNs or dial-ups. There are three critical vulnerabilities in the service this month, all with a CVSS score of 8.8. The patch notes don’t tell us much, except that the RCE vulnerabilities are triggered by a malicious server on an unsuspecting client. As such, it is possible to mitigate some of the risks posed by these vulnerabilities through Zero Trust and segmentation.
RRAS isn’t available on all Windows servers; it comes as part of the Remote Access role and has to be specifically installed. In our observations, we’ve seen that approximately 12% of monitored environments have Windows servers with the Remote Access role installed.
In addition to RRAS, this month’s patch contains multiple CVEs in the Remote Access Connection Manager. The two services are related, as the Connection Manager is used to organize connection profiles to the RRAS (among others).
CVE number |
Component |
Effect |
|---|---|---|
RRAS |
Remote code execution |
|
Connection Manager |
Elevation of privilege |
|
Information disclosure |
||
Windows Authentication
Windows Authentication is a rather broad term, as there are multiple authentication methods, protocols, and providers supported by Windows. The two CVEs in Windows Authentication are for two completely different components.
CVE-2024-21447 is an EoP vulnerability in the User Manager service, possibly due to improper directory restrictions. It’s a bypass of CVE-2023-36047, as it was apparently a partial fix.
CVE-2024-29056, however, appears to be an issue in the implementation of Kerberos PAC validation, according to the FAQ section and related Knowledge Base article. It is also possibly related to the other Kerberos CVEs.
CVE number |
Component |
Effect |
|---|---|---|
User Manager |
Elevation of privilege |
|
Kerberos PAC validation |
||
Windows Kerberos |
Denial of service |
Previously covered services
Many CVEs in this month’s Patch Tuesday are for systems that we’ve already covered in the past. If you’re interested in our analysis of, or general recommendations for, those services, we encourage you to look at our previous perspectives on Patch Tuesday blog posts.
Service |
CVE number |
Effect |
Required access |
|---|---|---|---|
Information disclosure |
Local |
||
Remote code execution |
Local, user interaction required |
||
Network |
|||
Security feature bypass |
Network, user interaction required |
This summary provides an overview of our current understanding and our recommendations given the information available. Our review is ongoing and any information herein is subject to change. You can also visit us on X, formerly known as Twitter, for real-time updates.