Microsoft’s November Patch Tuesday has issued fixes addressing 89 new common vulnerabilities and exposures (CVEs). There are 92 third-party disclosures, including four critical issues and several flaws that could be considered zero-days.
Remote code execution (RCE) vulnerabilities accounted for 58.6% of the vulnerabilities patched this month, followed by elevation of privilege (EoP) vulnerabilities at 29.9%.
“CVE-2024-43451 is a spoofing vulnerability in all supported versions of Microsoft Windows that was exploited in the wild,” says Tenable’s Senior Staff Engineer Satnam Narang. “When exploited, it reveals a user’s NTLMv2 hash, which an attacker can use to authenticate to a system using a technique called pass-the-hash.”
“CVE-2024-49039 is a vulnerability in the Windows Task Scheduler. This vulnerability is only exploitable when an authenticated attacker on a vulnerable system opens a malicious application. Once exploited, an attacker can elevate their privileges and gain access to resources that would otherwise be unavailable to them,” he added. “Whenever I see a zero-day privilege escalation vulnerability that was exploited in the wild, I typically conclude that it’s likely part of a targeted attack of some sort.”
“There were two other zero-day vulnerabilities patched this month – CVE-2024-49019, an elevation of privilege flaw in Active Directory Certificate Services (AD CS) and CVE-2024-49040, a spoofing vulnerability in Microsoft Exchange Server. CVE-2024-49019 is considered more likely to be exploited,” Narang said. “The highest rated vulnerability in this month’s release is CVE-2024-43602, a remote code execution flaw in Microsoft’s Azure CycleCloud, which is a tool that helps in managing and orchestrating the high-performance computing environments in Azure.”
Rapid7 Lead Software Engineer Adam Barnett said Microsoft had evidence of in-the-wild exploitation and/or public disclosure for four of the vulnerabilities published. However, as with October’s batch, it does not evaluate any of these zero-day vulnerabilities as critical severity.
“CVE-2024-49019 describes an elevation of privilege vulnerability in Active Directory Certificate Services,” he said. “While the vulnerability only affects assets with the Windows Active Directory Certificate Services role, an attacker who successfully exploits this vulnerability could gain domain admin privileges, so that doesn’t offer much comfort. Unsurprisingly, given the potential prize for attackers, Microsoft assesses future exploitation as more likely.”
“Microsoft has arguably scored CVE-2024-43451 correctly according to the CVSSv3.1 specification,” Barnett added. “However, although the Microsoft CVSSv3 vector describes an impact only to confidentiality, if an attacker can authenticate as the user post-exploitation, a further potential for subsequent impact to integrity and availability now exists; if we take that potential indirect effect into account, the CVSSv3 base score would look more like 8.8, which is the sort of number where alarm bells typically start ringing for many defenders.”
“This month brings patches for CVE-2024-43498, a critical RCE in .NET 9.0 with a CVSSv3 base score of 9.8, which is seldom a harbinger of good news,” Barnett said. “Exploitation might mean compromise of a desktop application by loading a malicious file, but most concerningly could also describe RCE in the context of a vulnerable .NET web app via a specially crafted request. Microsoft assesses exploitation as less likely, but there’s nothing on the advisory which obviously supports that assessment, since this is a low-complexity network attack which requires neither privileges nor user interaction. CVE-2024-43498 is surely worthy of immediate patching. It’s also never a bad idea to review other options for protection, especially for internet-exposed services.”
“The advisory for CVE-2024-43639 describes a critical RCE in Kerberos with a CVSSv3 base score of 89.8, although not in great detail. The FAQ explains that an unauthenticated attacker could use a specially crafted application to leverage a cryptographic protocol vulnerability in Windows Kerberos to perform remote code execution against the target, but without providing much information about the target or the precise context of code execution. The only safe assumption here is that code execution is in a highly-privileged context on a server which handles key authentication tasks. Patch accordingly.”
Microsoft’s November patch updates are available in the release notes section of its website.