www.belgium.be Logo of the federal government

WARNING: MICROSOFT PATCH TUESDAY, NOVEMBER 2024 PATCHES 87 VULNERABILITIES (4 CRITICAL, 82 IMPORTANT, 1 IMPORTANT), INCLUDING 4 ZERO DAYS, WITH 2 ACTIVELY EXPLOITED - PATCH IMMEDIATELY!

Référence: 
Advisory #2024-263
Version: 
1.0
Logiciels concernés : 
Microsoft Products
Type: 
Several types, ranging from Denial of Service to Elevation of Privilege and Remote Code Execution
CVE/CVSS: 

Microsoft patched 87 vulnerabilities in its November 2024 Patch Tuesday release, 4 rated as Critical, 82 rated as important and 1 moderate, including 4 zero-days, with 2 actively exploited.

  • 51 Remote Code Execution vulnerabilities
  • 26 Elevation of Privilege vulnerabilities
  • 4 Denial of Service vulnerabilities
  • 3 Spoofing vulnerabilities
  • 2 Security Feature Bypass vulnerabilities
  • 1 Information Disclosure vulnerability

Sources

Microsoft - https://msrc.microsoft.com/update-guide/releaseNote/2024-Nov

Risques

Microsoft’s November 2024 Patch Tuesday includes 87 vulnerabilities (with 4 rated as critical, 82 important and 1 moderate) for a wide range of Microsoft products impacting Microsoft Servers and Workstations.

This Patch Tuesday includes four 0‑Days, two of which are actively exploited. Some vulnerabilities are more likely to be exploited soon; therefore, urgent patching is advised.

Description

Microsoft has released security updates for vulnerabilities covering a wide range of its products, including two under active attack. This monthly release is dubbed “Patch Tuesday” and contain security fixes for Microsoft devices and software.

The CCB would like to point your attention to the following vulnerabilities:

CVE‑2024‑43451: Windows NTLMv2 ( Actively Exploited, Zero‑day)

Spoofing Vulnerability:  a remote attacker could exploit this vulnerability by convincing a user to open a specially crafted file. Successful exploitation could allow an attacker to potentially disclose a user’s NTLMv2 hash, facilitating unauthorized authentication. According Microsoft researchers, this CVE was exploited in the wild as a zero-day. CVE‑2024‑43451 is assigned a CVSSv3 score of 6.5 and it is rated as important.

CVE-2024-49039 : Windows Task Scheduler (Actively Exploited, Zero-day)

Elevation of Privilege Vulnerability: this vulnerability could an attacker with local access to a vulnerable system to infiltrate a low privilege AppContainer and elevate their privileges. This could allow an attacker to execute remote procedure call (RPC) functions that are restricted to privileged accounts. According to Microsoft, this vulnerability was exploited in the wild as a 0‑day. This CVE has CVSSv3 score of 8.8 and tis rated as important.

CVE-2024-49040: Microsoft Exchange Server  (Zero-day)

Spoofing Vulnerability: this vulnerability affects Microsoft Exchange Server 2016 and 2019.  Successful exploitation of this vulnerability could allow a threat actor to spoof sender’s email address in emails to local recipients. This vulnerability has a CVSSv3 score of 7.8 and it is rated as important. According to Microsoft, this vulnerability was publicly disclosed prior to a patch being made available.

CVE-2024-49019: Active Directory Certificate Services (Zero‑day)

Elevation of Privilege Vulnerability: according to Microsoft researchers, successful exploitation of this vulnerability could allow an attacker to gain domain administrator privileges by abusing built-in default version 1 certificate templates. CVE-2024-49019 has a CVSS score of 7.8 and is rated as important and it was publicly disclosed prior to a patch being made available.

CVE-2024-43639: Windows Kerberos

Remote Code Execution Vulnerability: it is critical remote code execution (RCE) vulnerability in Windows Kerberos which could allow an unauthenticated attacker to execute code remotely, compromising system integrity. CVE-2024-43639 is assigned a CVSSv3 score of 9.8 and it is rated as “Exploitation Less Likely.”

CVE-2024-43602: Azure CycleCloud 

Remote Code Execution Vulnerability: CVE-2024-43602: RCE vulnerability with CVSSv3 score of 9.9. A remote attacker could exploit this vulnerability by sending specially crafted request to modify the configuration of AzureCloud CycleCloud cluster, which allows root privileges to be obtained.

Actions recommandées

Patch

The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.

Monitor/Detect

The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion. In case of an intrusion, you can report an incident via: https://ccb.belgium.be/en/cert/report-incident.

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

Références

The register - https://www.theregister.com/2024/11/13/november_patch_tuesday/

Tenables -  https://www.tenable.com/blog/microsofts-november-2024-patch-tuesday-addresses-87-cves-cve-2024-43451-cve-2024-49039

Bleeping Computer - https://www.bleepingcomputer.com/news/microsoft/microsoft-november-2024-patch-tuesday-fixes-4-zero-days-91-flaws/