Akamai’s Perspective on August’s Patch Tuesday 2024
Las Vegas has been flooded with hackers these days, exploiting everything everywhere. It’s definitely wild in the west, as evidenced by this Patch Tuesday, when six vulnerabilities were found to be exploited in the wild. Of the 89 CVEs released on August 2024’s Patch Tuesday, four of them were publicly disclosed and one was presented at Black Hat. This month also contained one advisory.
As we do every month, the Akamai Security Intelligence Group set out to look at the more intriguing vulnerabilities that were patched.
In this blog post, we’ll assess how critical the vulnerabilities are, and how commonplace the affected applications and services are, to provide you with a realistic perspective on the bugs that were fixed. Be on the lookout for these insights in the days after every Patch Tuesday.
This is an ongoing report and we’ll add more information to it as our research progresses — stay tuned!
This month, we’re focusing on the following areas in which bugs were patched:
- Scripting Engine Memory Corruption (exploited in the wild)
- Windows Mark of the Web security feature bypass (exploited in the wild)
- Windows TCP/IP
- Windows Network Virtualization
- Windows Routing and Remote Access Service (RRAS)
- Microsoft Outlook
Vulnerabilities discovered in the wild
CVE-2024-38178 — Scripting Engine Memory Corruption (CVSS 7.5)
Windows scripting languages can refer to multiple implementations of scripting languages inside Windows, such as VBScript, JavaScript, or others. We noticed that the file jscript9.dll has changed, so we assume that the vulnerability that was fixed is in the JScript component.
JScript is Microsoft's implementation of ECMAScript, the same standard that’s behind JavaScript and is used by Internet Explorer. Chakra is also a JavaScript engine, forked from JScript, and is used by Microsoft Edge Legacy (newer versions of Edge are based on Chromium). Both are implemented as DLLs, conveniently named jscript9.dll and chakra.dll.
According to the advisory, an attack requires the victim to click on a link, and to use Edge in Internet Explorer mode. We theorize this vulnerability might be triggered in other ways, as well, possibly through Office.
CVE-2024-38213 — Windows Mark of the Web (CVSS 6.5)
It’s important to note that this vulnerability was fixed in June 2024, but the advisory was not released until August 2024.
This is a security bypass vulnerability, which skips the SmartScreen security warning when opening potentially malicious files that were downloaded from the web. In that scenario, Windows SmartScreen is responsible for displaying a warning screen. The vulnerability requires the attacker to craft a file in a specific way that will cause Windows SmartScreen to fail to check the file and, therefore, to bypass the warning screen.
This is not the first time SmartScreen bypass vulnerabilities have been actively exploited by threat actors. The November 2023 and February 2024 patches also included fixes for bypass vulnerabilities that were reported as actively exploited.
There were also four other vulnerabilities exploited in the wild.
Windows TCP/IP
The TCP/IP stack in Windows is a core component of the operating system's networking functionality. It handles the transport of data across networks using the TCP/IP protocol suite, which is the foundation of communication over the internet and most local networks.
In the Windows operating system, the TCP/IP stack is implemented in tcpip.sys driver. This kernel module is responsible for handling network protocols, including TCP over transport layers such as IPv4 and IPv6.
CVE-2024-38063 (CVSS 9.8) is a critical vulnerability in this network stack that allows an unauthenticated attacker to send specially crafted IPv6 packets that could lead to remote code execution.
A remarkable blog post by the Microsoft Security Response Center team discussed previously founded CVEs in this component, where remote code execution (RCE) and denial-of-service (DoS) attacks can be achieved using malcrafted packets. The CVSS indicates that the attack complexity is low (AC:L) in contrast with the previous findings.
According to Microsoft, machines with IPv6 disabled are protected from this vulnerability. We believe that this vulnerability may be used by malicious actors because of the widespread use of IPV6, the low complexity of the attack, and the fact that it is accessible to unauthenticated attackers — so patch your machines!
You can use the following osquery to detect network adapters that are enabled and have an IPv6 address:
SELECT interface_details.connection_id, interface_addresses.address
FROM interface_details
JOIN interface_addresses ON interface_addresses.interface =
interface_details.interface
WHERE enabled=1 AND interface_addresses.address like "%::%";
Windows Network Virtualization
Windows Network Virtualization (WNV) is a feature within the Hyper-V Network Virtualization framework that enables virtual machines (VMs) to communicate as if they are on the same subnet, even when they are on different subnets or physical networks. This is accomplished by decoupling virtual networks from the physical network, allowing VMs to move across physical hosts without altering network configurations.
WNV uses Network Virtualization Generic Routing Encapsulation (NVGRE) or Virtual Extensible LAN (VXLAN) for packet encapsulation, providing isolation, scalability, and multi-tenant support in cloud environments.
CVE-2024-38159 and CVE-2024-38160 could both lead to guest-to-host escape, which in turn could end in RCE. Although both the vulnerabilities have a CVSS of 9.1, they only affect Windows Server 2016 and Windows 10 (1607).
Microsoft suggests mitigating the vulnerabilities by either running the Hyper-V machines inside another virtual platform such as VMware, or by giving up the Hyper-V based virtualization completely.
Windows Routing and Remote Access Service (RRAS)
The Routing and Remote Access Service (RRAS) is a Windows service that allows the operating system to behave as a router, permitting site-to-site connections using VPNs or dial-ups. There are six vulnerabilities in the service this month, five of them with a CVSS score of 8.8.
The patch notes don’t tell us much, except that the RCE vulnerabilities are triggered by a malicious server on an unsuspecting client. As such, it is possible to mitigate some of the risks posed by these vulnerabilities via Zero Trust and segmentation.
RRAS isn’t available on all Windows servers; it comes as part of the Remote Access role and must be specifically installed. We’ve seen that approximately 12% of monitored environments have Windows servers with the Remote Access role installed.
Microsoft Outlook
It seems that we can’t have a Patch Tuesday without having an Outlook vulnerability. CVE-2024-38173 is an RCE vulnerability in Outlook. Although the Preview Pane is an attack vector, the vulnerability requires the victim’s credentials.
To trigger the vulnerability, a malicious form is uploaded to Exchange. Once the victim’s Outlook syncs with Exchange, it downloads the malicious form, which can lead to code execution on the victim’s machine. This vulnerability was discovered by Morphisec, and we believe it to be similar to CVE-2024-30103.
Previously covered services
Many CVEs in this month’s Patch Tuesday are for systems that we’ve already covered in the past. If you’re interested in our analysis of, or general recommendations for, those services, we encourage you to look at our previous perspectives on Patch Tuesday blog posts.
This summary provides an overview of our current understanding and our recommendations given the information available. Our review is ongoing and any information herein is subject to change. You can also visit us on X, formerly known as Twitter, for real-time updates.