Akamai’s Perspective on July’s Patch Tuesday 2024
Plenty of countries commemorate their independence days in July, and what better way to celebrate than with a blast of CVEs? There were 137 vulnerabilities patched on July’s Patch Tuesday 2024, with five critical vulnerabilities in Microsoft Sharepoint Server, Windows Remote Desktop Licensing Service and the Windows Codecs Library.
Additionally, an elevation of privilege (EoP) vulnerability in Windows Hyper-V and a spoofing vulnerability in Windows MSHTML Platform were reported as seen in the wild, and there’s a patch for a vulnerability in Windows Themes that was reported by Akamai researcher Tomer Peled.
As we do every month, the Akamai Security Intelligence Group set out to look at the more intriguing vulnerabilities that were patched.
In this blog post, we’ll assess how critical the vulnerabilities are, and how commonplace the affected applications and services are, to provide you with a realistic perspective on the bugs that were fixed. Be on the lookout for these insights in the days after every Patch Tuesday.
This is an ongoing report and we’ll add more information to it as our research progresses — stay tuned!
This month, we’re focusing on the following areas in which bugs were patched:
Vulnerabilities discovered in the wild
CVE-2024-38080 — Windows Hyper-V (CVSS 7.8)
Windows Hyper-V is the native hypervisor in Windows. It allows the hosting of virtual machines (guests) on a single host machine. Virtualization is very common in enterprise networks, as it allows saving on hardware costs.
In our observations, 84% of environments had machines with Hyper-V enabled (hosts).
CVE-2024-38080 is a local EoP vulnerability that allows attackers to gain SYSTEM privileges following a successful exploitation. It is still unclear whether the vulnerability exists on host machines or guest machines, and how it is exploited. Microsoft has indicated that successful exploitation of this vulnerability was detected in the wild.
Detection
To detect Hyper-V hosts, you can use the following osquery:
SELECT
name, statename
FROM
windows_optional_features
WHERE
name LIKE 'Microsoft-Hyper-V%'
AND state = 1
Akamai Guardicore Segmentation customers can use the Insight capability to run this query.
CVE-2024-38112 — Windows MSHTML Platform (CVSS 7.5)
MSHTML is a web page renderer for the Windows operating system. It exposes a Component Object Model (COM) interface to allow programs to add web-rendering capabilities. It is used by Internet Explorer, Microsoft Edge’s Internet Explorer mode, Microsoft Outlook, and various other programs.
There have been multiple vulnerabilities found in the MSHTML platform in the past (including some found by Akamai researchers), and it is an attractive exploitation target for attackers because of its ability to circumvent defense mechanisms and the fact that it is a built-in feature in Windows.
For a technical analysis of the CVE, you can read more in Haifei Li’s blog post.
Vulnerabilities found by Akamai researchers
CVE-2024-38030 — Windows Themes (CVSS 6.5)
Microsoft Themes is a feature in Windows that lets a user change the way icons or fonts are displayed, among other possible changes. It is a built-in part of Windows.
Akamai researcher Tomer Peled found CVE-2024-38030, which is categorized as a spoofing vulnerability with CVSS score of 6.5. Successful exploitation of this vulnerability bypasses the patch for CVE-2024-21320, which was also discovered by Peled.
The patch for CVE-2024-21320 introduced the function PathIsUNC to check if a given path in a theme file is a UNC path. Unluckily for Microsoft, James Forshaw already discussed a way to bypass this function. We believe this might be the first time this bypass is used to exploit Windows features.
Windows Remote Desktop Licensing Service
The Windows Remote Desktop Licensing Service is used as part of a Windows Remote Desktop Services (RDS) deployment. RDS is a virtualization solution to deploy and manage virtual remote desktops for users.
The Licensing Service is used to issue and manage client access licenses, which are required to connect to virtual desktops generated via the Desktop Services.
This month, there are three critical remote code execution vulnerabilities, as well as four denial-of-service vulnerabilities in the Windows Remote Desktop Licensing Service.
| CVE number | Effect |
|---|---|
| CVE-2024-38077 | Remote code execution |
| CVE-2024-38074 | |
| CVE-2024-38076 | |
| CVE-2024-38071 | Denial of service |
| CVE-2024-38072 | |
| CVE-2024-38073 | |
| CVE-2024-38099 |
Mitigation
Microsoft’s recommendation is to disable the service if it is no longer in use. As more organizations are moving to the cloud, it might be possible that your RDS deployment also moved to the cloud, and the on-prem licensing server is no longer needed. In our observations, 50% of environments had a server with Remote Desktop Licensing Service (TermServLicensing) running.
You can use the following osquery to detect service and its status:
SELECT
status, pid, start_type
FROM
services
WHERE
name='TermServLicensing'
Additionally, the Licensing Service is network accessible via remote procedure call (RPC). As such, it uses ephemeral ports and a name pipe (\\pipe\\HydraLsPipe) for communication, which might be difficult to track over time. You can use Event Tracing for Windows (ETW) to monitor RPC traffic or limit access to the RPC interface with RPC filters. Its interface UUID is {3d267954-eeb7-11d1-b94e-00c04fa3080d}.
Microsoft Windows Codecs Library
The Microsoft Windows Codecs Library is the built-in codecs in Windows. Codecs are used to encode and decode various media formats, like images, videos, audio, and fonts.
This month, there is a critical remote code execution vulnerability CVE-2024-38060, which according to the FAQ is exploitable by uploading a malicious TIFF image to a server. The TIFF codec is part of the Windows Imaging Component (WIC) and is built-in in Windows. As such, it affects any Windows installation, and any program running on it that uses WIC to parse TIFF images.
You can use the following osquery to detect processes that loaded the codec library DLL:
SELECT
name, pid, proc.path
FROM
process_memory_map AS pmm
JOIN processes AS procUSING(pid)
WHERE
pmm.path LIKE '%windowscodecs.dll'
There are also two information disclosure CVEs: CVE-2024-38055 exposes portions of the Windows Kernel memory and CVE-2024-38056 can expose portions of heap memory, presumably of processes using the codecs library.
Previously covered services
Many CVEs in this month’s Patch Tuesday are for systems that we’ve already covered in the past. If you’re interested in our analysis of, or general recommendations for, those services, we encourage you to look at our previous perspectives on Patch Tuesday blog posts.
| Service | CVE number | Effect | Required access |
|---|---|---|---|
| Microsoft SharePoint Server | CVE-2024-38023 | Remote code execution | Network, SiteOwner permissions |
| CVE-2024-38024 | |||
| CVE-2024-32987 | Information disclosure | Network, authentication required | |
| Windows Cryptographic Services | CVE-2024-30098 | Security feature bypass | Network, requires SHA1 collision |
| Windows iSCSI | CVE-2024-35270 | Denial of service | Local network |
| DHCP Server Service | CVE-2024-38044 | Remote code execution | Network, requires specific DHCP privileges, presumably DHCP admin |
| Microsoft Defender for IoT | CVE-2024-38089 | Elevation of privilege | Network |
This summary provides an overview of our current understanding and our recommendations given the information available. Our review is ongoing and any information herein is subject to change. You can also visit us on X, formerly known as Twitter, for real-time updates.