Akamai’s Perspective on September’s Patch Tuesday 2024
Let’s get back to school, everybody! Our major — CVE analysis. As we do every month, the Akamai Security Intelligence Group set out to look at the more intriguing vulnerabilities that were patched.
In this blog post, we’ll assess how critical the vulnerabilities are, and how commonplace the affected applications and services are, to provide you with a realistic perspective on the bugs that were fixed. Be on the lookout for these insights in the days after every Patch Tuesday.
This is an ongoing report and we’ll add more information to it as our research progresses — stay tuned!
This month, we’re focusing on the following areas in which bugs were patched
Vulnerabilities discovered in the wild
CVE-2024-43491 — Microsoft Windows Update (CVSS 9.8)
An issue with March’s security update’s build number triggered a bug in the part of Windows Update that handles optional components. This caused Windows Update to determine that subsequent updates were not applicable, and revert those components to their base versions.
According to Microsoft, the bug in Windows Update wasn’t publicly exploited, but some of the affected components had publicly exploited vulnerabilities, hence the categorizations.
To deal with this CVE, you should install both the security update KB5043083 and servicing stack update KB5043936.
The affected components are:
Active Directory Lightweight Directory Services
Administrative Tools
ASP.NET 4.6
Internet Explorer 11
Internet Information Services
LPD Print Service
Microsoft Message Queue (MSMQ) Server Core
MSMQ HTTP Support
MultiPoint Connector
SMB 1.0/CIFS File Sharing Support
Windows Fax and Scan
Windows Media Player
Work Folders Client
XPS Viewer
You can check if any of those components are enabled on your computer by using the following OSQuery:
SELECT
name, caption, statename
FROM
windows_optional_features
WHERE
caption IN (
'Active Directory Lightweight Directory Services',
'Administrative Tools',
'ASP.NET 4.6',
'Internet Explorer 11',
'Internet Information Services',
'LPD Print Service',
'Microsoft Message Queue (MSMQ) Server Core',
'MSMQ HTTP Support',
'MultiPoint Connector',
'SMB 1.0/CIFS File Sharing Support',
'Windows Fax and Scan',
'Windows Media Player',
'Work Folders Client',
'XPS Viewer'
)
AND state = 1
CVE-2024-38014 — Windows Installer (CVSS 7.8)
The Windows Installer (msiexec.exe) is the component in Windows that is responsible for handling and installing .msi files. There aren’t many details regarding this vulnerability, but given that successful exploitation results in SYSTEM privileges, the issue might be with the Windows Installer service (which points to msiexec as well) and not just the binary.
CVE-2024-38226 — Microsoft Publisher Security Features (CVSS 7.3)
The Microsoft Publisher security features are meant to protect users from harmful, malicious Microsoft Office documents. Attackers can embed malicious pieces of code, in the form of macros, in Office documents. The Publisher Security features prevent the automatic execution of macros, and instead presents the users with a pop-up message to confirm their execution.
CVE-2024-38226 is a bypass of those protections, allowing malicious code to run automatically when the document is opened.
CVE-2024-38217 — Windows Mark of the Web (CVSS 5.4)
For the second month in a row, there’s another Mark of the Web bypass. Mark of the Web is the security feature that is responsible for marking potentially dangerous files downloaded from the internet, which triggers the SmartScreen security warning when opening them. This bypass skips that warning. The vulnerability requires the attacker to craft a file in a specific way that will cause Windows SmartScreen to fail to check the file and, therefore, to bypass the warning screen.
Last month was not the first time SmartScreen bypass vulnerabilities were actively exploited by threat actors. The November 2023 and February 2024 patches also included fixes for bypass vulnerabilities that were reported as actively exploited.
In addition to the exploited-in-the-wild CVEs, there was another CVE patched this month, CVE-2024-43487, with a CVSS score of 6.5.
Microsoft SharePoint is a web-based document management and storage system that integrates with other Microsoft Office products. There are five CVEs this month, two critical remote code execution (RCE) vulnerabilities with CVSS scores of 8.8 (CVE-2024-38018) and 7.2 (CVE-2024-43464). The others are two more RCE vulnerabilities and a denial-of-service (DoS) CVE.
CVE-2024-38018 requires attackers to authenticate to the SharePoint server with an account that has at least SiteMember permissions. There are no details on what the attacker has to do to trigger code execution.
CVE-2024-43464, CVE-2024-38227, and CVE-2024-38228 require SiteOwner permissions. They also require uploading a crafted file and accessing it via an API request. This would trigger a deserialization of file parameters and cause code injection into the SharePoint server process.
In our observations, we’ve seen that approximately 30% of environments had at least one machine with a SharePoint server installed on it.
Since SharePoint servers are usually meant to be used for document sharing, it might be difficult to segment or limit user access to them without harming normal operations. Therefore, we recommend that you patch your server as soon as possible.
However, since the RCE CVEs require user authentication, it may be possible to mitigate some of the risks by hardening user access, or by increasing alert sensitivity on suspicious user activity or logins.
Windows network address translation (NAT)
Network address translation (NAT) is a form of networking that maps multiple IP addresses behind a single IP address. Its main use is network separation, by putting the whole internal network IP range behind a single external IP.
This month, CVE-2024-38119 is a critical RCE vulnerability in Windows NAT, which requires winning a race condition to exploit successfully. It is unclear which specific component in Windows is responsible for NAT, and since NAT occurs before the typical network stack, segmentation is probably not a possible mitigation. As such, we recommend patching as the only mitigation.
Microsoft SQL Server
There are 13 CVEs in Microsoft SQL Server (MSSQL) server this month. Nine of those are for the Native Scoring feature in MSSQL (which is a machine learning feature to predict data values based on pre-trained models); of those nine, six are RCEs. And there are another four CVEs in the native MSSQL server.
As SQL servers typically hold sensitive information, they should be segmented and have access control restrictions placed on them to prevent data theft incidents. If you don’t have such policies in place, this is a good opportunity to add them. Map your existing MSSQL servers (either by looking for the MSSQL service, or by looking for connections over ports 1433 and1434).
After mapping existing servers, create segmentation policies based on the existing traffic and other segments that should have access (like IT to all, or finance to finance, etc.). This is also a good opportunity to see who's being naughty and accessing databases they shouldn’t touch.
From our observations, 75% of networks have MSSQL servers.
Service |
CVE number |
Effect |
|---|---|---|
Microsoft SQL Server Native Scoring |
Remote code execution |
|
Information disclosure |
||
Microsoft SQL Server |
||
Elevation of privilege |
||
Previously covered services
Many CVEs in this month’s Patch Tuesday are for systems that we’ve already covered in the past. If you’re interested in our analysis of, or general recommendations for, those services, we encourage you to look at our previous perspectives on Patch Tuesday blog posts.
Service |
CVE number |
Effect |
Required access |
|---|---|---|---|
Denial of service |
Network |
||
Elevation of privilege |
Network |
||
Remote code execution |
Network, with the NetNAT service enabled |
||
Spoofing |
Network |
||
Remote code execution |
Network, any authenticated user |
||
Information disclosure |
Network |
||
Denial of service |
|||
Spoofing |
This summary provides an overview of our current understanding and our recommendations given the information available. Our review is ongoing and any information herein is subject to change. You can also visit us on X, formerly known as Twitter, for real-time updates.