Akamai’s Perspective on November’s Patch Tuesday 2024

CVE-2024-43451 — Windows MSHTML platform (CVSS 6.5)

The CVE notes mention that the MSHTML platform was the affected component, so that’s what we’ll focus on.

MSHTML is a web page renderer for the Windows operating system. It exposes a Component Object Model (COM) interface to allow programs to add web-rendering capabilities. It is used by Internet Explorer, Microsoft Edge’s Internet Explorer mode, Microsoft Outlook, and various other programs.

There have been multiple vulnerabilities found in the MSHTML platform in the past (including some found by Akamai researchers), and it is an attractive exploitation target for attackers because of its ability to circumvent defense mechanisms and because it is a built-in feature in Windows.

This time, it seems that a specially crafted file can cause an NTLMv2 hash leak when the file is opened by a user. NTLM is one of the authentication protocols in Windows, and a leak of the password hash can lead to authentication relay attacks, or the password hash can be used in offline cracking to retrieve the user’s cleartext password.

The VMSwitch is a component of Hyper-V, which is Microsoft’s implementation of a hypervisor. Beyond its use in running virtual machines, the Hyper-V plays a major role in security in newer Windows versions by providing a privileged and secure hypervisor beyond the kernel.

The VMSwitch is the driver responsible for network traffic between virtual machines (VMs) hosted on Hyper-V. It is a paravirtualized component; that is, when a Hyper-v guest interacts with it, it is run directly on the host. This makes it a lucrative research target as it allows for guest-to-host attacks.

Surprise, surprise, CVE-2024-43625 is exactly that. An attacker running on a Hyper-V guest can send specifically crafted networking requests to the VMSwitch, thereby achieving a use after free that could be exploited to run code in the context of the host. It is even more lucrative if you recall that Hyper-V is also the hypervisor for Microsoft Azure, so this vulnerability’s impact could be substantial.

This isn’t the first time VMSwitch was targeted. In fact, we researched it ourselves and found a critical 9.9 RCE vulnerability back in 2021; we even presented our findings at BlackHat that year.

In addition to the critical vulnerability, there are two more CVEs that affect Hyper-V:

It is possible to detect Hyper-V use by running the following osquery:

In our observations, 93% of environments had machines with Hyper-V enabled — and they amounted to 25% of the network, on average.

Kerberos stands as the backbone of the Windows domain architecture. It is the default authentication mechanism, having replaced NTLM. There was a single critical vulnerability in Kerberos patched this month: CVE-2024-43639 (CVSS 9.8).

Successful exploitation of the attack results in remote code execution and does not require any authentication. This, coupled with the note that it’s a cryptographic vulnerability, makes us believe that the attack might target the Kerberos pre-authentication process, which occurs on an initial log-on to the domain. This means that the attack would mostly target domain controllers, but it’s possible that it can be adjusted to work on any other Windows machine. If the cryptographic vulnerability does in fact reside in the implementation of ticket parsing then it’s possible to apply it during the later stages of the authentication process.

SMBv3 refers to running an SMB file server over the QUIC protocol, which is a new-ish transportation protocol. (It was introduced in 2012 and standardized in 2021. For reference, TCP was introduced in 1974 and standardized in 1980.) It is built over UDP, and supports multiplexing, encryption, and more. Microsoft is also incorporating QUIC into Windows, and newer versions of Windows (11 and server 2025) already support it in various ways.

With CVE-2024-43447, a malicious client can trigger a double free on the victim SMBv3 server, which can lead to a remote code execution if successfully exploited. Although this could be serious, the fact the QUIC isn’t widespread yet makes the potential impact in real life quite low. In fact, in our observations, only 8% of environments have servers with QUIC enabled. Of those 8%, the percentage with SMBv3 servers is even lower since it is not on by default.

Concerned network admins can restrict QUIC traffic using segmentation, as it communicates over UDP port 443. Alternatively, they can disable QUIC support on their SMB file servers, if they have any.

In addition to this vulnerability, there’s another denial-of-service vulnerability in regular SMB: CVE-2024-43642.

Many CVEs in this month’s Patch Tuesday are for systems that we’ve already covered in the past. If you’re interested in our analysis of, or general recommendations for, those services, we encourage you to look at our previous perspectives on Patch Tuesday blog posts.