Microsoft patches two actively exploited zero-days (CVE-2024-29988, CVE-2024-26234)

On this April 2024 Patch Tuesday, Microsoft has fixed a record 147 CVE-numbered vulnerabilities, including CVE-2024-29988, a vulnerability that Microsoft hasn’t marked as exploited, but Peter Girnus, senior threat researcher with Trend Micro’s Zero Day Initiative (ZDI), has found being leveraged by attackers in the wild.

“Threat actors are sending exploits in a zipped file to evade EDR/NDR detection and then using this bug (and others) to bypass MotW,” notes Dustin Childs, head of threat awareness at the ZDI.

CVE-2024-29988 has also been reported by Dmitrij Lenz and Vlad Stolyarov of Google’s Threat Analysis Group, which means active exploitation is very likely, despite not having been acknowledged by Microsoft.

“CVE-2024-29988 is credited to some of the same researchers that disclosed a similar flaw in February (CVE-2024-21412) that was exploited as a zero-day,” says Satnam Narang, senior staff research engineer at Tenable.

“Social engineering through direct means (email and direct messages) that requires some type of user interaction is a typical route for exploitation for this type of flaw. CVE-2024-21412 was used as part of a DarkGate campaign that leveraged fake software installers impersonating Apple’s iTunes, Notion, NVIDIA and more.”

Other vulnerabilities of note

Childs urges users running Windows DNS servers to deploy patches for seven remote code execution flaws (CVE-2024-26221-CVE-2024-26224, CVE-2024-26227, CVE-2024-26231 and CVE-2024-26233) sooner rather than later, despite a timing factor being involved in successful exploitation.

Microsoft has fixed 24 vulnerabilities that may allow attackers to bypass Windows Secure Boot, a security feature that aims to prevent malware from loading when PCs boot up.

Narang pointed out that though Microsoft considers their exploitation “less likely”, the last time Microsoft patched a flaw in Windows Secure Boot (CVE-2023-24932) in May 2023 had a notable impact as it was exploited in the wild and linked to the BlackLotus UEFI bootkit.

“The patch fixes the [Secure Boot] bugs, but the protections aren’t enabled by default,” Childs added. Users should consult this document and enable them.

He also singled out CVE-2024-20678, an authenticated RCE flaw in Remote Procedure Call (RCP) Runtime, and CVE-2024-20670, an Outlook for Windows vulnerability that may allow attackers to harvest users’ NTLM (authentication) hashes, as likely to be targeted by attackers in the coming months and should therefore be quickly patched.

Finally, there are patches for several critical and important Microsoft Defender for IoT bugs, as well as an interesting information disclosure bug in Azure AI Search (CVE-2024-29063) that could allow attackers to obtain sensitive API keys.

“The vulnerability has been mitigated by a recent update to Azure AI Search’s backend infrastructure. Customers who are required to rotate specific credentials have been notified through Azure Service Health Alerts under TrackingID: WL1G-3TZ,” Microsoft said. “Customers who did not receive this Azure Service Health Alert do not need to take any action to be protected against this vulnerability.”

Should defenders prioritize fixing EoP flaws?

Narang commented that 2024 has been an unusually quiet year in terms of zero-days.

“It’s difficult to pinpoint why we’ve seen this decrease, whether it’s just a lack of visibility or if it signifies a trend with attackers utilizing known vulnerabilities as part of their attacks on organizations,” he commented.

Another interesting thing recently pointed out by SonicWall Capture Labs is that despited RCE bugs getting more attention from defenders, in 2023 attackers exploited Microsoft elevation of privilege (EoP) zero-day vulnerabilities more frequently that RCEs.

“We’re seeing that attackers favor phishing over Microsoft-specific exploits for initial entry, and subsequently favoring exploiting Microsoft’s privilege vulnerabilities to enhance their access,” the researchers noted.

Also, after the 2023 Patch Tuesdays, CISA added only four Microsoft vulnerabilities (aside from the exploited zero-days) to their Known Exploited Vulnerabilities catalog: three EoPs and one Security Feature Bypass.

“When considering these two data points, it’s reasonable to conclude that, for organizations looking at a large list of Microsoft vulnerabilities, the category of elevation of privileges should carry more weight in prioritization than the exploitable index or other types of vulnerabilities,” SonicWall pointed out.

“While elevation of privilege vulnerabilities can receive a lower CVSS and exploitability probability score, they are often the most attractive to threat actors because they fill a critical gap in their playbook.”

UPDATE (April 9, 2024, 06:00 p.m. ET):

Microsoft has updated the advisory for CVE-2024-26234, a proxy driver spoofing vulnerability, to say the flaw is exploited and public.

It was reported by Sophos X-Ops researcher Christopher Budd. More information is available here.