This month, Microsoft is addressing a total of 83 vulnerabilities. Among these, 3 are classified as critical, 2 have been exploited in the wild, and another 2 have been disclosed prior to Patch Tuesday. Organizations are encouraged to prioritize these updates to mitigate potential risks and enhance their security posture.

Notable Vulnerabilities:

NTLM Hash Disclosure Spoofing Vulnerability (CVE-2024-43451)
This vulnerability, identified as CVE-2024-43451, has been exploited and disclosed, carrying an Important severity rating with a CVSS score of 6.5. It allows an attacker to disclose a user's NTLMv2 hash, enabling them to authenticate as that user, which could lead to a total loss of confidentiality. Exploitation requires minimal user interaction, such as selecting or inspecting a malicious file. The vulnerability affects all supported versions of Microsoft Windows, and while Internet Explorer has been retired on certain platforms, updates addressing this vulnerability are included in the IE Cumulative Updates to ensure continued protection.

Windows Task Scheduler Elevation of Privilege Vulnerability (CVE-2024-49039)
This vulnerability, identified as CVE-2024-49039, has a severity rating of Important with a CVSS score of 8.8 and is currently being exploited in the wild, although it has not been disclosed publicly. An authenticated attacker can exploit this vulnerability by running a specially crafted application on the target system, allowing them to elevate their privileges to a Medium Integrity Level. Successful exploitation could enable the attacker to execute RPC functions that are typically restricted to privileged accounts, thereby compromising the security of the system. Remediation efforts should focus on monitoring for unauthorized applications and ensuring that only trusted software is executed on systems to mitigate the risk of exploitation.

Active Directory Certificate Services Elevation of Privilege Vulnerability (CVE-2024-49019)
This vulnerability, identified as CVE-2024-49019, has been disclosed but is not currently exploited in the wild. It carries a severity rating of Important with a CVSS score of 7.8, allowing an attacker to potentially gain domain administrator privileges. The vulnerability affects certificates created using a version 1 certificate template with the Source of subject name set to "Supplied in the request," particularly if the template is not secured according to best practices. To mitigate this risk, organizations are advised to remove overly broad enrollment permissions, eliminate unused templates from certification authorities, and secure templates that allow specification of the subject in requests through additional signatures, certificate manager approval, and monitoring of issued certificates.

Windows Kerberos Remote Code Execution Vulnerability (CVE-2024-43639)
This critical vulnerability, with a CVSS score of 9.8, has not been exploited in the wild nor disclosed publicly. It allows an unauthenticated attacker to leverage a cryptographic protocol vulnerability in Windows Kerberos to perform remote code execution against the target using a specially crafted application. The potential impact of this vulnerability underscores the importance of monitoring and securing systems against unauthorized access and exploitation.

Microsoft Windows VMSwitch Elevation of Privilege Vulnerability (CVE-2024-43625)
This critical vulnerability, identified as CVE-2024-43625, has a CVSS score of 8.1 and is currently not exploited or disclosed publicly. It allows an attacker with low privileges on a Hyper-V guest to traverse the security boundary and execute code on the Hyper-V host, potentially gaining SYSTEM privileges. The exploitation requires a high level of complexity, as the attacker must gather specific environmental information and perform additional preparatory actions before sending a specific series of networking requests to the VMswitch driver, triggering a use-after-free vulnerability. Notably, this vulnerability is confined to the VmSwitch component within Hyper-V and does not affect the System Center Virtual Machine Manager (SCVMM).

This summary highlights key vulnerabilities for this Patch Tuesday. Notably, CVE-2024-43451, a NTLM hash disclosure vulnerability, poses a significant risk due to its exploitation potential with minimal user interaction. CVE-2024-49039, an elevation of privilege vulnerability, is actively exploited and requires immediate attention. Additionally, CVE-2024-49019 allows potential domain admin access, necessitating strict certificate management. Critical vulnerabilities like CVE-2024-43639 (CVSS 9.8) and CVE-2024-43625, while not currently exploited, demand proactive monitoring and security measures. Prioritize patching and monitoring to mitigate these risks effectively.

November 2024 Security Updates

--
Renato Marinho
LinkedIn|Twitter