Akamai’s Perspective on October’s Patch Tuesday 2024
Spooky scary vulnerabilities, send shivers down your (server) stack 𝅘𝅥𝅮
Shrieking CVEs will shock your corp, seal your nets tonight 🎵
It’s a new month and we’ve got a big bowlful of CVEs — but, unlike candy, we can’t hand them out to costumed kids. This month, there are 117 total CVEs across 60 different components. Of those, three are critical, two were seen in the wild, and one was found by us.
In this blog post, we’ll assess how critical the vulnerabilities are, and how commonplace the affected applications and services are, to provide you with a realistic perspective on the bugs that were fixed. Be on the lookout for these insights in the days after every Patch Tuesday.
This is an ongoing report and we’ll add more information to it as our research progresses — stay tuned!
This month, we’re focusing on the following areas in which bugs were patched:
Vulnerabilities discovered in the wild
CVE-2024-43572 — Microsoft Management Console (CVSS 7.8)
The Microsoft Management Console (mmc.exe) is a graphical interface for various components.
The Windows Event Viewer, Services Manager, Task Scheduler are all implemented as snap-ins for the Microsoft Management Console, among many others.
Snap-ins themselves are also files with the .msc extension, which tell the Management Console what to display and which capabilities to offer. (So, when you’re running the Event Viewer, for example, you’re actually running mmc.exe eventvwr.msc behind the scenes).
The vulnerability appears to be associated with loading untrusted .msc files. Some improper handling probably leads to a remote code execution (RCE). Of course, “remote” in this case refers to the distance between the attacker and victim. The victim would have to download and open a malicious .msc to trigger the vulnerability. In addition to fixing the RCE, this month’s patch also includes a fix that prevents untrusted .msc from being loaded.
CVE-2024-43573 — Windows MSHTML Platform (CVSS 6.5)
MSHTML is a web page renderer for the Windows operating system. It exposes a Component Object Model (COM) interface to allow programs to add web-rendering capabilities. It is used by Internet Explorer, Microsoft Edge’s Internet Explorer mode, Microsoft Outlook, and various other programs.
There have been multiple vulnerabilities found in the MSHTML platform in the past (including some found by Akamai researchers), and it is an attractive exploitation target for attackers because of its ability to circumvent defense mechanisms and the fact that it is a built-in feature in Windows.
Vulnerabilities discovered by Akamai researchers
CVE-2024-43532 — Remote Registry Service (CVSS 8.8)
The Remote Registry Service in Windows allows for interaction with the Windows Registry between remote computers, and is implemented over the Remote Procedure Call (RPC) protocol. CVE-2024-43532 was found by Akamai researcher Stiv Kupchik and disclosed in February 2024.
The vulnerability actually exists in the client side of the Remote Registry RPC implementation, in the functions RegConnectRegistry and RegConnectRegistryEx. The root cause is a fallback mechanism in RPC transports. Although the Remote Registry traffic is usually handled over SMB named pipes, the client implementation contains a fallback mechanism to TCP in case the named pipe isn’t available. And unlike the SMB traffic, which uses secure authentication and encryption, the TCP traffic authenticates without integrity checks or encryption, which makes it vulnerable to NTLM relay attacks.
We’re presenting this vulnerability at the 2024 No Hat conference, so either visit the conference to hear it live, or read the accompanying blog post that we’ll release after the event.
Microsoft Configuration Manager
The Microsoft Configuration Manager is part of the Intune software family and is meant to help IT managers configure and manage a large number of Windows computers and servers.
There are multiple components in a Configuration Manager setup, but the one we’re interested in is its SQL database. According to CVE-2024-43468’s notes and its weakness ID, successful exploitation of the vulnerability allows running commands on its database (and, in the case of a monolith, single-server installation, on the main Configuration Manager server, as well).
Because there are patches for both the Configuration Manager and its console application, the issue is likely that the values that you input to the server aren’t sanitized or validated before being passed to the database (rather than an issue with the security of the database itself). As such, simply securing the database via segmentation isn’t likely to reduce the impact of this vulnerability, although it’s a good security measure nonetheless.
It might be possible to detect Configuration Manager installations via the following osquery:
SELECT display_name, status, start_type, path FROM services WHERE name='SMS_Executive’
Windows Remote Desktop
Windows Remote Desktop is used for remote desktop connection between Windows machines, over the Remote Desktop Protocol (RDP). There are multiple vulnerabilities this month across different components of Windows Remote Desktop, so we’ll discuss them all together.
The main one is, of course, CVE-2024-43582 — a critical RCE vulnerability on the server side service. An attacker “only” needs to connect to an RDP server, spam it with malformed packets, and win a race condition, which can then be leveraged for an RCE.
As RDP is very common in networks and since it can be used for lateral movement, we recommend creating policy rules that cover it. In our observations, 89% of networks had Windows RDP traffic, and 73% of networks had the traffic with no restrictions.
Restricting RDP access to user machines, or only to pre-authorized servers (like jump boxes), can greatly reduce the risk presented by these vulnerabilities. We covered some quick wins regarding RDP in our segmentation blog post. Regardless of policy, we recommend you patch as soon as possible.
Component |
CVE number |
CVSS score |
Effect |
|---|---|---|---|
Remote Desktop Protocol Server |
8.1 |
Remote code execution |
|
Windows Remote Desktop Licensing Service |
7.5 |
||
Remote Desktop Client |
8.8 |
||
8.8 |
|||
Windows Remote Desktop Services |
4.8 |
Tampering |
Previously covered services
Many CVEs in this month’s Patch Tuesday are for systems that we’ve already covered in the past. If you’re interested in our analysis of, or general recommendations for, those services, we encourage you to look at our previous perspectives on Patch Tuesday blog posts.
Service |
CVE number |
Effect |
Required access |
|---|---|---|---|
Elevation of privilege |
Network, authenticated |
||
Information disclosure |
Network |
||
Remote code execution |
Local, requires social engineering or phishing |
||
Remote code execution |
Network |
||
Elevation of privilege |
Local |
||
Remote code execution |
Network |
This summary provides an overview of our current understanding and our recommendations given the information available. Our review is ongoing and any information herein is subject to change. You can also visit us on X, formerly known as Twitter, for real-time updates.