Microsoft fixes actively exploited zero-days (CVE-2024-43451, CVE-2024-49039)

November 2024 Patch Tuesday is here, and Microsoft has dropped fixes for 89 new security issues in its various products, two of which – CVE-2024-43451 and CVE-2024-49039 – are actively exploited by attackers.

CVE-2024-43451 CVE-2024-49039

The exploited vulnerabilities (CVE-2024-43451, CVE-2024-49039)

CVE-2024-43451 is yet another vulnerability that allows attackers to elevate their privileges on targeted Windows and Windows Server machines by disclosing the user’s NTLMv2 hash, which contains their authentication credentials.

The hash can then be used by attackers to authenticate to a system as the user by using a hacking technique called pass the hash.

“To my knowledge, it’s the third such vulnerability that can disclose a user’s NTLMv2 hash that was exploited in the wild in 2024,” Satnam Narang, Senior Staff Research Engineer at Tenable, told Help Net Security.

“While we don’t have insight into the in-the-wild exploitation of CVE-2024-43451 at this time, one thing is certain: attackers continue to be adamant about discovering and exploiting zero-day vulnerabilities that can disclose NTLMv2 hashes, as they can be used to authenticate to systems and potentially move laterally within a network to access other systems.”

User interaction – e.g., selecting or inspecting the malicious file that holds the exploit – is required for the vulnerability to be triggered, but that’s obviously not a real barrier for attackers.

CVE-2024-49039 is a vulnerability in Windows Task Scheduler that’s also getting exploited to elevate privileges on breached systems.

“The bug allows an AppContainer escape – allowing a low-privileged user to execute code at Medium integrity. You still need to be able to execute code on the system for this to occur, but container escapes are still quite interesting as they are rarely seen in the wild,” says Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative.

“Once exploited, an attacker can elevate their privileges and gain access to resources that would otherwise be unavailable to them as well as execute code, such as remote procedure call (RPC) functions,” Narang added.

“Once again, we don’t have much insight into the in-the-wild exploitation of this flaw, though we know that this flaw is attributed to multiple individuals, including members of Google’s Threat Analysis Group (TAG). Based on this attribution, we can infer that there is some advanced persistent threat (APT) or nation-state aligned activity associated with the zero-day exploitation of this flaw.”

Other patched vulnerabilities of note

CVE-2024-43639 is an interesting one: “An unauthenticated attacker could use a specially crafted application to leverage a cryptographic protocol vulnerability in Windows Kerberos to perform remote code execution against the target,” says Microsoft.

The CVSS vector string associated with the vulnerability says no user action is required to exploit it. “Since Kerberos runs with elevated privileges, that makes this a wormable bug between affected systems,” Childs pointed out, and advised admins of Windows Servers to test and deploy the fix quickly.

CVE 2024-5535 – a bug in OpenSSL disclosed in June 2024 – has been patched in Microsoft Defender for Endpoint.

“Exploitation of this vulnerability requires that an attacker send a malicious link to the victim via email, or that they convince the user to click the link, typically by way of an enticement in an email or Instant Messenger message. In the worst-case email attack scenario, an attacker could send a specially crafted email to the user without a requirement that the victim open, read, or click on the link. This could result in the attacker executing remote code on the victim’s machine,” Microsoft said, but assessed that exploitation is less likely.

CVE-2024-49019, a publicly disclosed elevation of privilege flaw in Active Directory Certificate Services (AD CS), is considered by Microsoft as more likely to be exploited.

“The vulnerability exists in the management of certificates issued by a PKI (Public Key Infrastructure) environment using certain misconfigured certificate templates,” Ben McCarthy, Lead Cyber Security Engineer at Immersive Labs, told Help Net Security.

“An attacker who successfully exploited this vulnerability could gain domain administrator privileges,” Microsoft warned, and provided fixes for various Windows Server versions and laid out mitigations.

CVE-2024-49040, a spoofing vulnerability in Microsoft Exchange Server, has been publicly disclosed and there’s a proof-of-concept exploit for it, according to Microsoft.

“The vulnerability is caused by the current implementation of the P2 FROM header verification, which happens in transport. The current implementation allows some non-RFC 5322 compliant P2 FROM headers to pass which can lead to the email client (for example, Microsoft Outlook) displaying a forged sender as if it were legitimate,” the company noted.

“Starting with the Exchange Server November 2024 Security Update (SU), Exchange Server can detect and flag email messages that contain potentially malicious patterns in the P2 FROM header.” A disclaimer to the body of such an email message will be added, saying:

CVE-2024-43451 CVE-2024-49039

“Microsoft Exchange Server is often targeted by threat actors who specialize in Exchange exploits. From a risk-based prioritization perspective, the public disclosure and availably of PoC level exploit code warrants treating this vulnerability as Critical,” commented Chris Goettl, Vice President of Security Product Management at Ivanti.

Childs has also singled out CVE-2024-43498, a RCE flaw in .NET and Visual Studio that, according to Microsoft, could be triggered by sending a “specially crafted requests to a vulnerable .NET webapp or by loading a specially crafted file into a vulnerable desktop app.”

“This is one of the bugs I say is public even though Microsoft doesn’t, as it sure looks like this issue,” he noted.

Finally, there is CVE-2024 43602, a remote code execution flaw in Microsoft’s Azure CycleCloud – orchestration and management tool for High Performance Computing (HPC) environments in Azure.

“To exploit this vulnerability, an attacker with basic user permissions could send specially crafted requests to alter the configuration of an Azure CycleCloud cluster, thereby gaining root-level permissions. Consequently, the attacker could execute commands on any Azure CycleCloud cluster within the instance and, in specific scenarios, compromise administrative credentials,” says Natalie Silva, Lead Cyber Security Engineer at Immersive Labs.

“At the time of writing, Microsoft’s exploitability assessment on this one is ‘Exploitation Less Likely’, albeit the attack complexity is outlined as Low.”

UPDATE (November 14, 2024, 05:05 a.m. ET):

ClearSky Cyber Security has provided more details on how CVE-2024-43451 was exploited by attackers.

UPDATE (November 26, 2024, 08:25 a.m. ET):

ESET researchers have explained how Russia-aligned APT group RomCom leveraged CVE-2024-49039 in an exploit chain to target users in Europe and North America.

OPIS OPIS

OPIS

Don't miss