www.belgium.be Logo of the federal government

WARNING: MICROSOFT PATCH TUESDAY MAY 2024 PATCHES 59 VULNERABILITIES (1 CRITICAL, 57 IMPORTANT, 1 MODERATE), PATCH IMMEDIATELY!!

Reference: 
Advisory #2024-67
Version: 
1.0
Affected software: 
.NET and Visual Studio
Azure Migrate
Microsoft Bing
Microsoft Brokering File System
Microsoft Dynamics 365 Customer Insights
Microsoft Intune
Microsoft Office Excel
Microsoft Office SharePoint
Microsoft WDAC OLE DB provider for SQL
Microsoft Windows SCSI Class System File
Microsoft Windows Search Component
Power BI
Windows Cloud Files Mini Filter Driver
Windows CNG Key Isolation Service
Windows Common Log File System Driver
Windows Cryptographic Services
Windows Deployment Services
Windows DHCP Server
Windows DWM Core Library
Windows Hyper-V
Windows Kernel
Windows Mark of the Web (MOTW)
Windows Mobile Broadband
Windows MSHTML Platform
Windows NTFS
Windows Remote Access Connection Manager
Windows Routing and Remote Access Service (RRAS)
Windows Task Scheduler
Windows Win32K - GRFX
Windows Win32K - ICOMP
Type: 
Several types, ranging from Information Disclosure to Remote Code Execution and Privilege Escalation.
CVE/CVSS: 

CVE/CVSS:

Microsoft patched 59 vulnerabilities in its May 2024 Patch Tuesday release, 1 rated as critical, 57 rated important. Including two actively exploited 0-day vulnerabilities.

Number of CVE by type:

  • 25 Remote Code Execution vulnerabilities
  • 17 Elevation of Privilege vulnerabilities
  • 7   Information Disclosure vulnerabilities
  • 4   Spoofing vulnerability
  • 3   Denial of Service vulnerabilities
  • 2   Security Feature Bypass vulnerabilities
  • 1   Tampering vulnerability

Sources

Risks

Microsoft’s May 2024 Patch Tuesday includes 59 vulnerabilities (1 critical, 57 important and 1 moderate), for a wide range of Microsoft products, impacting Microsoft Server and Workstations. This Patch Tuesday includes two actively exploited vulnerabilities and two 0-Days. Some other vulnerabilities are also more likely to be exploited soon, therefore urgent patching is advised.

The only critical vulnerability this month is a Remote Code Execution vulnerability (CVE-2024-30044) in Microsoft SharePoint Server. Additionally, two vulnerabilities (CVE-2024-30051 and CVE-2024-30040) are currently being exploited in the wild. Immediate patching is strongly recommended to mitigate risks!

Description

Microsoft has released multiple patches for vulnerabilities covering a range of their products. These monthly releases are called “Patch Tuesday” and contain security fixes for Microsoft devices and software.

The CCB would like to point your attention to following vulnerabilities:

CVE-2024-30051: Windows DWM Core Library (Actively exploited – Zero-day)

Elevation of Privilege Vulnerability. This vulnerability allows a local attacker already present on a vulnerable system to exploit it and granting them SYSTEM privileges and complete control over the device. With a CVSSv3 score of 7.8, it's rated important. Microsoft noted that it was exploited in the wild as a zero-day. Kaspersky researchers report its use alongside QakBot and other malware, suggesting multiple threat actors have access to it.

CVE-2024-30040: Windows MSHTML Platform (Actively exploited – Zero-day)

Security Feature Bypass Vulnerability. An attacker can exploit this vulnerability by using social engineering tactics via email, social media or instant messaging to convince a target user to open a specially crafted document. Once exploited, an attacker could execute code on the target system. The vulnerability is exploited in the wild and was assigned a CVSSv3 score of 8.8 rated as important.

CVE-2024-30046: Visual Studio

Denial of Service Vulnerability. CVE-2024-30046 is a denial of service (DoS) vulnerability affecting multiple versions of Microsoft Visual Studio 2022. It was assigned a CVSSv3 score of 5.9 and is rated important. According to Microsoft’s Exploitability Index it is rated as “Exploitation Less Likely” and the Attack Complexity is High.

CVE-2024-30043: Microsoft SharePoint Server

Information Disclosure Vulnerability. An authenticated attacker could use this bug to read local files with SharePoint Farm service account user privileges. The scope of file content which could be accessed is dependent on the privileges of compromised user. According to Microsoft’s it is rated as “Exploitation Less Likely” and was assigned a score of 6.5.

CVE-2024-30044: Microsoft SharePoint Server

Remote Code Execution Vulnerability. To exploit this CVE, an attacker needs to be authenticated to a vulnerable SharePoint Server with Site Owner permissions to perform two steps: 1.) the attacker must upload a specially crafted file to the vulnerable SharePoint Server and 2.) send specially crafted API requests to the SharePoint Server in order to “trigger deserialization of file’s parameters. This attack requires no user interaction. This vulnerability is rated as “Exploitation More Likely” according to Microsoft and was assigned a CVSSv3 score of 8.8 rated as critical.

CVE-2024-30033: Microsoft Search Service

Elevation of Privilege Vulnerability. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Successful exploitation of this vulnerability requires an attacker to take additional actions prior to exploitation to prepare the target environment. This vulnerability is rated as “Exploitation Less Likely” according to Microsoft and was assigned a CVSSv3 score of 7.0.

CVE-2024-29996 and CVE-2024-30025: Common Log File System Driver

Elevation of Privilege Vulnerabilities. An attacker who successfully exploited these vulnerabilities could gain SYSTEM privileges. These vulnerability are rated as “Exploitation More Likely” according to Microsoft and were assigned a CVSSv3 score of 7.8.

Recommended Actions

Patch

The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.

Monitor/Detect

The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident
 
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References