May 2024 Patch Tuesday: Microsoft fixes exploited zero-days (CVE-2024-30051, CVE-2024-30040)

For May 2024 Patch Tuesday, Microsoft has released fixes for 59 CVE-numbered vulnerabilities, including two zero-days (CVE-2024-30051, CVE-2024-30040) actively exploited by attackers.

patch Tuesday CVE-2024-30051 CVE-2024-30040

CVE-2024-30051 and CVE-2024-30040

CVE-2024-30051 is a heap-based buffer overflow vulnerability affecting the Windows DWM Core Library that can be exploited to elevate attackers’ privileges on a target system. “An attacker who successfully exploited this vulnerability could gain SYSTEM privileges,” Microsoft says.

Researchers from Kaspersky, DBAPPSecurity WeBin Lab, Google Threat Analysis Group and Google Mandiant have been credited with reporting it so it has been speculated that the attacks leveraging it are widespread.

Kaspersky researchers Boris Larin and Mert Degirmenci have shared more details: CVE-2024-30051 is being leveraged in conjuction with Qakbot and other malware. “[We] believe that multiple threat actors have access to it,” they said, and promised to publish technical details once users have had time to update their Windows systems.

The interesting thing here is how they “discovered” the vulnerability: it was described in a file uploaded to VirusTotal.

“The exploitation process described in this document was identical to that used in the previously mentioned zero-day exploit for CVE-2023-36033, but the vulnerability was different,” they said.

CVE-2024-30040 is a vulnerability that allows attackers to bypasses OLE [Object Linking and Embedding] mitigations in Microsoft 365 and Microsoft Office (i.e., security features that protect users from malicious files).

To exploit it, attackers need to “convince the user to load a malicious file onto a vulnerable system, typically by way of an enticement in an email or instant messenger message, and then convince the user to manipulate the specially crafted file, but not necessarily click or open the malicious file,” Microsoft says.

“An unauthenticated attacker who successfully exploited this vulnerability could gain code execution through convincing a user to open a malicious document at which point the attacker could execute arbitrary code in the context of the user.”

Microsoft does not say who reported the vulnerability or explains the nature of the attacks for which it is being leveraged.

Other vulnerabilities of note

Satnam Narang, senior staff research engineer at Tenable, says that exploitation of CVE-2024-30043, the only critical vulnerability fixed this month, requires an attacker to be authenticated to a vulnerable SharePoint Server with Site Owner permissions (or higher) first and then take additional steps, “which makes this flaw less likely to be widely exploited as most attackers follow the path of least resistance.”

The discoverer – Piotr Bazydło – says it’s the most interesting XML external entity (XXE) injection flaw that he’s ever found.

“An authenticated attacker could use this bug to read local files with SharePoint Farm service account user privileges. They could also perform an HTTP-based server-side request forgery (SSRF), and – most importantly – perform NLTM relaying as the SharePoint Farm service account,” Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, commented.

He also singled out CVE-2024-30050, a moderately severe vulnerability that may allow attackers to bypass the protections provided by Windows Mark of the Web (MotW) controls, because this type of security feature bypass is quite in vogue with ransomware gangs at the moment.

“They zip their payload to bypass network and host-based defenses, they use a Mark of the Web (MotW) bypass to evade SmartScreen or Protected View in Microsoft Office,” he explained.

“While we have no indication this bug is being actively used, we see the technique used often enough to call it out. Bugs like this one show why Moderate-rated bugs shouldn’t be ignored or deprioritized.”

UPDATE (May 31, 2024, 04:25 a.m. ET):

Bazydło has published a write-up on CVE-2024-30043, along with a demonstration of exploitation.



Don't miss