Akamai’s Perspective on June’s Patch Tuesday 2024
It’s a lean one this month, probably because everyone is busy celebrating Pride. Let’s ALLY with each other against the big bad security vulnerabilities.
As we do every month, the Akamai Security Intelligence Group set out to look at the more intriguing vulnerabilities that were patched.
There were 49 vulnerabilities patched on June’s Patch Tuesday 2024, with one critical vulnerability in Microsoft Message Queuing (MSMQ) and a high CVSS score (9.8) vulnerability in Azure Data Science Virtual Machine (DSVM).
In this blog post, we’ll assess how critical the vulnerabilities are, and how commonplace the affected applications and services are, to provide you with a realistic perspective on the bugs that were fixed. Be on the lookout for these insights in the days after every Patch Tuesday.
This is an ongoing report and we’ll add more information to it as our research progresses — stay tuned!
This month, we’re focusing on the following areas in which bugs were patched:
Microsoft Message Queuing (MSMQ)
The MSMQ service is an optional feature in Windows that is used to deliver messages among different applications. Despite being optional, it is used behind the scenes by many enterprise applications for Windows, such as Microsoft Exchange Server. In our observations, we found the service installed in nearly 74% of environments, usually on more than one machine.
This month, there is one critical network remote code execution (RCE) vulnerability, CVE-2024-30080, which can allow attackers to execute code remotely by sending a specifically crafted packet to the victim MSMQ server.
Since the MSMQ service is accessible over port 1801, but shouldn’t be accessed by very many clients (since it’s mostly used by the enterprise application itself), we recommend restricting arbitrary network access to that port and service. This is also Microsoft’s recommended mitigation to the vulnerability.
Try to segment the service using allowlist policies, enabling access only to the machines that actually need it. For help with segmentation, you can refer to our blog post (Micro)Segmentation from a Practical Perspective (and specifically to the application ringfencing and microsegmentation sections).
Azure Data Science Virtual Machine (DSVM)
Azure Data Science Virtual Machine is a type of customized virtual machine image available on the Azure cloud platform that comes pre-installed with various tools and programs necessary for data science. CVE-2024-37325 is an elevation of privilege (EoP) vulnerability that affects Ubuntu DSVMs with versions prior to 24.05.24.
Instead of being a typical EoP in which an attacker gains an elevated session post exploitation, in this case it seems that there is sort of a data leak originating from one of the services installed on those virtual machines. An unauthenticated attacker who sends a specific request can leak the credentials of authorized users, and can use those credentials to log in to those machines.
Microsoft provided guidance on how to upgrade affected machines. In addition, since it seems (to us) like the issue is with one of the installed services, we recommend checking all the ports that those machines are listening on, and trying to ringfence those to prevent outside access.
Windows Link Layer Topology Discovery Protocol and Windows Wi-Fi Driver
The Windows Link Layer Topology Discovery Protocol is a Microsoft proprietary protocol used to map devices to understand network topology. Although the protocol supports multiple types of networks (wired, wireless, and even powerline), both vulnerabilities patched this month revolve around the Wi-Fi network adapter, so we’ve merged our discussion with the Wi-Fi driver vulnerability.
Since the vulnerabilities all revolve around Wi-Fi, an attacker would have to be in close (radio) proximity to be able to exploit them, so if you just follow the “stranger danger” rule, you’ll be fine.
Kidding aside, the Wi-Fi protocol implementation is outside the scope of most firewall or segmentation products, as they deal with data transferred over networks and not with the setup of those networks themselves. Therefore, there isn’t really a mitigation for this vulnerability beyond patching (or a Faraday cage, but then you won’t get normal Wi-Fi either …) so we recommend you patch ASAP.
Service |
CVE number |
Effect |
|---|---|---|
Windows Link Layer Topology Discovery Protocol |
Remote code execution |
|
Windows Wi-Fi Driver |
Previously covered services
Many CVEs in this month’s Patch Tuesday are for systems that we’ve already covered in the past. If you’re interested in our analysis of, or general recommendations for, those services, we encourage you to look at our previous perspectives on Patch Tuesday blog posts.
Service |
CVE number |
Effect |
Required access |
|---|---|---|---|
Information disclosure |
Local |
||
Remote code execution |
Local, an attacker would have to convince the victim to open a malicious file |
||
Denial of service |
Network |
||
Remote code execution |
Network |
||
Denial of service |
Local |
||
Information disclosure |
Local |
This summary provides an overview of our current understanding and our recommendations given the information available. Our review is ongoing and any information herein is subject to change. You can also visit us on X, formerly known as Twitter, for real-time updates.